Software Systems for Surveying Spoofing Susceptibility

Seeking to minimize Internet's susceptibility to spoofed DDoS attacks, we will develop, build, and operate multiple open-source software tools to assess and report on the deployment of source address validation (SAV) best anti-spoofing practices.

Sponsored by:
Department of Homeland Security (DHS)

Principal Investigator: kc claffy

Funding source:  DHS S&T contract D15PC00188 Period of performance: August 3, 2015 - July 31, 2018.


Statement of Work (Completed)

Period I: Applied Research and Development (8 months, August 1, 2015 - March 31, 2016)

Task 1: Develop and deploy new client-server SAV testing system
1.1 Develop an extensible JSON-based structured data communications protocol for negotiating and coordinating complex spoofed packets measurements between the client and our server.
Specifications:

(a) set probing parameters (e.g., where to send spoofed packets, how to encode packets, etc.)
(b) encode traceroute measurements to determine the location of SAV filters
(c) report test results back to the client
1.2 Develop and release server software to be easily deployed by network operators for scheduling and coordinating SAV measurements, and transmitting results to a database
1.3 Deploy a server instance at CAIDA to support a public view of SAV deployment
1.4 Develop and release client software.
Specifications:

(a) can run in the background on Windows, MacOS, and UNIX-like systems
(b) regularly (weekly) test the ability to send and receive spoofed packets
(c) include intuitive GUI to communicate results to the user
(d)support opportunistic measurement by mobile laptops
(e) use link-layer sockets to send spoofed packets as complete Ethernet frames
(f) implement traceroute to help determine the location of SAV filtering
Task 2: Develop and deploy new reporting system to focus SAV compliance attention
2.1 Build a reporting engine that will correlate coverage of SAV tests with various characteristics of tested networks: type (e.g., access, transit), country of operation, IP reputation, their country's transparency of governance
2.2 Generate ingress access lists for all stub ASes that a transit provider could validate and deploy
2.3 Identify the fraction of customers of each transit provider in each region that have been observed spoofing packets
2.4 Identify transit providers who should be encouraged to deploy our ingress access lists
2.5 Build a public website to report per-network test outcomes, highlighting the most recent tests, on the specialized server at CAIDA
2.6 Enable privacy-preserving features to anonymize individual IP addresses when necessary
2.7 Add a searching functionality to allow any user to query for results for any network
2.8 Incorporate our stakeholder-focused analysis into the public website
Task 3: Research use of IXPs as a vantage point for SAV best practice assessment
3.1 Investigate methods to automatically build lists of customer cone prefixes belonging to IXP participants
3.2 Identify IXP participants with inadequate SAV deployment by analyzing packets captured at anycast DNS root-server instances deployed at IXPs and finding source addresses outside of the customer cones
3.3 Demonstrate to IXPs the measurement capabilities that can illuminate the SAV hygiene practices of their participating networks

Milestones and Deliverables (Period I)

# Milestone Deliverable Date Status 1 Report: Extensible client-server protocol Nov 1, 2015 done 2 Develop initial prototypes of client and server software Dec 1, 2015 done 3 Deploy a supported instance of server software at CAIDA Feb 1, 2016 done 4 Evaluate utility of DNS root-server data to obtain external view of IXP hygiene Report: Spoofed traffic to DNS root-servers Feb 1, 2016 done 5 Deploy public website to show outcomes of tests Software: Public website Mar 31, 2016 done 6 Final Report Mar 31, 2016 done

Period II: Development (12 months, April 1, 2016 - March 31, 2017)

Task 1: Refine client-server testing tools and reports according to experiences and feedback
1.1 Organize demonstration of software capabilities for DHS at the appropriate site/occasion (DHS site visit to CAIDA, a Program Meeting, or at DHS chosen site)
1.2 Deliver completed and tested client and server software to DHS
1.3 Publicly release the client-server software
1.4 Integrate telescope backscatter data into reporting system to display trends in randomly spoofed DDoS attacks over time
Specifications:

(a) incorporate characteristics of the targeted networks: type (e.g., access, transit), country of operation, IP reputation, their country's transparency of governance
(b) use historic CAIDA data collected since 2004 to provide a baseline for DDoS trends
1.5 Add support to client and server tools to determine whether a tested AS discards packets at the edge of its network arriving from outside of the network but purporting to be from inside the network
1.6 Adjust probing strategies of client tools based on operational experience to minimize unnecessary tests
Task 2: Research and develop a traceroute SAV-analysis system to infer providers that do not apply SAV to customers
2.1 Research methods and develop implementation to infer provider-customer links that imply lack of SAV by the provider
2.2 Report our inferences on the spoofer website
2.3 Ccontinuously generate customer cone prefixes to enable an up-to-date view of valid customer prefixes for a specified AS
2.4 Implement a query interface to dynamically report prefixes in the customer cone of a specified AS for the convenience of IXP operators

Milestones and Deliverables (Period II)

# Milestone Deliverable Date Status
1 Presentation: Demonstrating software to DHS Aug 1, 2016 done
2 Provide DHS with completed client and server software, make software public Software: release May 1, 2016 done
3 Present intermediate results to industry group (e.g., NANOG) Aug 1, 2016 done
4 Evaluate utility of system that uses traceroute data to infer provider-customer links without deployed best practices Sep 1, 2016 done
5 Report: Viability of traceroute SAV system Oct 1, 2016 done
6 Incorporate trends over time and properties of networks that do not filter spoofed packets into the reporting system Software: Updated reporting system Oct 1, 2016 done
7 Deploy web-based system to return customer cone prefixes for ASes Dec 1, 2016 done
8 Recommend strategies for region-specific SAV focus Report: SAV analysis with new data types Mar 31, 2017 done
9 Release client-server software that tests ability of client to receive spoofed packets Software: Year-end release Mar 31, 2017 done
Published
Last Modified