Spoofer: Software Systems for Surveying Spoofing Susceptibility
The proposal "Software Systems for Surveying Spoofing Susceptibility" is also available in PDF.
Principal Investigator: kc claffy
Funding source: DHS S&T contract D15PC00188 Period of performance: August 3, 2015 - July 31, 2018.
AbstractResponsive to TTA #1, we propose to develop, test, and deploy new tools to measure and report on the deployment of source address validation best practices. Our project includes applied research, software development, new data analytics, systems integration, operations and maintenance, and an interactive analysis and reporting service. First, to allow for testing and monitoring of individual networks, we will develop a polished open-source client-server system for Windows, MacOS, and UNIX-like systems that periodically tests a network's ability to both send and receive packets with forged source IP addresses (spoofed packets). Our system will address substantial deficiencies of the best available data on this global critical infrastructure vulnerability. Second, we will produce reports and visualizations to enable prioritization of source address validation (SAV) compliance attention where it will have the highest benefit, as well as real-time reports that focus operator attention based on observations of inadequate packet filtering as tests complete. Third, we will take advantage of data sources that magnify our view of SAV deployment on many networks without the need for a vantage point in each network, by developing a system to passively detect spoofed packets crossing an Internet exchange point (IXP) peering fabric. Some IXPs have hundreds of participating networks, which makes them an extremely large and entirely unexplored lens from which to measure and support expanded deployment of source address validation. Fourth, to promote testing of access networks, we will create an OpenWrt  package of our spoofer client and deploy it on the BISmark measurement platform . Finally, to assist contractors in evaluating SAV compliance, we will prototype a portable touch-screen appliance using the Raspberry Pi platform featuring our client software. We are uniquely qualified to pursue this work. First, we have extensive experience obtained from developing and operating the MIT spoofer project that informs the thorough approach we propose in this document. Second, we have access to unique sources of data that we will strategically utilize: the UCSD network telescope, which we will use to study the observable effects of SAV policy on spoofed DDoS attacks; and DNS-OARC traffic data for local-node (anycast) root server instances, which we will use to measure the deployment of best practices by ASes peering at public IXPs. Third, we have unparalleled expertise in developing Internet-scale active measurement software and AS topology relationship inferences, placing us in an ideal position to develop open source software for SAV assessment, as well as to develop and report SAV metrics and analysis.
1 Performance GoalsThe Regents of the University of California; University of California, San Diego on the behalf of the San Diego Supercomputer Center's Center for Applied Internet Data Analysis (CAIDA) research program, offer this technical proposal which includes the following deliverables: (1) a production-quality client-server source address validation (SAV) testing system that builds on experiences we gained in building and operating the existing system first deployed by Robert Beverly at MIT; (2) a reporting and analysis system that optimizes compliance attention and assesses its impact; (3) a traffic-based SAV-analysis system that gauges SAV deployment using traffic data and peering matrices from Internet exchange points (IXPs) and customer prefix data; (4) a portable touchscreen system that provides a convenient form factor for independent contractors to test SAV compliance; (5) an open-source home-router testing system. The project will leverage the results of existing technologies and infrastructure funded by the Department of Homeland Security and the National Science Foundation. The proposed work targets objectives outlined in TTA#1: Measurement and Analysis to Promote Best Current Practices. Specifically, we propose to build and operate multiple open-source software tools for anti-spoofing assessment that will allow a site to determine if it has successfully deployed source address validation, and provide on-going monitoring and testing to ensure SAV continues to operate correctly through network upgrades and reconfigurations. Our reporting and analysis system will promote the deployment of SAV by guiding compliance attention where it will have the most benefit, and provide independent measures of the effectiveness of the promoting SAV best-practices. To promote additional testing that will magnify our view of SAV deployment on many networks, we will pursue three additional goals: develop new analytics and software tools that detect spoofed packets crossing Internet exchange points; port our testing tools to the most popular open source home router platform; and prototype a portable appliance that government-approved agents could use in compliance testing. The resulting technologies and data will improve our ability to identify, monitor, and mitigate the infrastructure vulnerability that serves as the primary vector of massive DDoS attacks on the Internet.
2 Detailed Technical ApproachDespite source IP address spoofing being a known vulnerability for at least 25 years , and despite many efforts to shed light on the problem (e.g. [6,8,9]), spoofing remains a viable attack method for redirection, amplification, and anonymity, as evidenced most recently and publicly in February 2014 during a 400 Gbps DDoS attack against Cloudflare . That particular attack used an amplification vector in some implementations of NTP ; a previous attack against Spamhaus  in March 2013 achieved 300+ Gbps using an amplification vector in DNS. While some application-layer patches can mitigate these attacks , attackers continuously search for new vectors. To defeat DDoS attacks requires operators to ensure their networks filter packets with spoofed source IP addresses , a best current practice (BCP) known as source address validation (SAV). However, a network that deploys source address validation primarily helps other networks, a classic tragedy of the commons in the Internet. Testing a network's SAV compliance requires a measurement vantage point inside (or adjacent to) the network, because the origin network of arbitrary spoofed packets cannot be determined . For the past nine years, our approach was to use a software client that volunteers across the Internet could download and run from their networks, testing their own network's ability to send various types of spoofed packets to our server, which collected and aggregated test results. Figure 1 illustrates a simplified view of our current system architecture, which includes: (1) a server instance that coordinates measurements and obtains results, (2) client software for Windows, MacOS, and UNIX-like systems, and (3) a set of distributed Ark nodes that receive spoofed packets and allow us to infer where along a path source address validation (SAV) may be taking place.
2.1 Production-quality source address validation testing systemWe will build a production-quality client-server testing system that will periodically test the ability of a vantage point to send and receive packets with forged source addresses. This system will include client and server software implementations required to accomplish testing; we will build both from scratch to overcome limitations in the current system. Our client software will contain a GUI for Windows, MacOS, and UNIX-like systems that allows a user to initiate a test and receive feedback on the outcome of the test: i.e. can the local network forward packets with forged source IP addresses, and if so, are the forged addresses limited to local subnet addresses, or a larger prefix? We will give the user an option, enabled by default, to have the software client run spoofing tests periodically in the background, initiating tests on any attached networks at most once per week. To prevent operating system interference when using raw sockets, the client will construct all packets as layer-2 frames regardless of operating system. Our client and server software will support IPv4 and IPv6, allowing the user to check if security policy is being applied consistently for both protocols. Where we find SAV deployment, we will utilize a built-in implementation of tracefilter  to infer where SAV filters are deployed, by sending spoofed TTL-limited packets and observing where in the path ICMP time exceeded messages are no longer generated. We will write new server software that is easily deployable by others, such as independent government agencies and transit network operators. We will use Transport Layer Security (TLS) to prevent tampering with our spoofing tests. To support user communities, e.g., government networks, who are not comfortable testing to our servers, we will enable the client to configure its own selected server address. To support a more flexible approach to private testing, we will explore a redirection capability whereby other server operators instruct our spoofer server to redirect certain clients (based on the IP address they use to connect to our server instance) to their instance. To improve user incentives to deploy the tool, we will add support to our client to test if the network has appropriate ingress filtering in place; specifically, we will test if the client is able to receive traffic from our server with spoofed source IP addresses in the same /24 subnet as the client. The tested network should filter such addresses at the edge of their network, per IETF Best Current Practice 84 . This feature will also help operators detect weaknesses in their network that could be exploited by attacks such as triangular spamming . To further incentivize deployment we will provide the user with additional visibility into their network's hygiene, such as the reputation of their network in the security community based on known IP-reputation blacklists.
2.2 Use measurement results to inform compliance effortsDirectly responsive to objective 2 of TTA #1, we propose a further development task that will utilize our expanded view of the spoofing landscape to focus anti-spoofing compliance attention where it will have the highest benefit. We propose to build a new web-based reporting system that will focus efforts of stakeholders and policy makers by correlating our expanded coverage of SAV tests (section 2.1) with characteristics of the tested networks such as their type (e.g., access, transit), country of operation, IP reputation, and their country's transparency of governance. Many small enterprises at the edge will never deploy SAV best practices, but we can help their upstream transit providers to deploy SAV on behalf of these edge networks by generating ingress access lists for ASes that are customers of a given transit provider, who could validate these access lists with these customers and deploy them to discard packets with forged source IP addresses. Using AS rank data , we will identify the transit providers in each country whose filtering practices could have the greatest impact in reducing spoofed traffic based on the number and types of customer networks they provide transit for. To motivate transit providers to deploy ingress access lists, we will annotate each transit provider with information on the observed ability of networks beneath them to spoof traffic. The reports will also serve to focus efforts of network operators in deploying mitigation strategies to reduce harms from inadequate filtering deployments. Our reporting and analysis system will have an option to restrict reports to an individual country, to assist countries in planning and implementing their own policies. In order to provide an independent view of the impact of mitigation strategies against spoofed DDoS attacks, we will leverage the UCSD network telescope  to track evidence of DDoS attacks over time. Network telescopes are able to indirectly observe randomly-spoofed denial of service attacks worldwide by capturing a portion of the responses sent back from the victim to the spoofed IP addresses (backscatter traffic) . Based on the technique originally presented in , we will develop software to automatically detect randomly-spoofed DDoS attacks worldwide, and we will extract data in order to observe trends in the targets (e.g., by country and AS) and magnitude of attacks (duration and volume). CAIDA has collected and stored backscatter traffic since 2004, enabling historic longitudinal view in such trends. While the telescope cannot be used to measure the deployment progress of BCP38, it does allow an independent view of anti-spoofing efforts on the measured impact on spoofed DDoS attacks. Our reporting system will publicly report summary data for all networks for which it has SAV tests. We will issue a weekly report for operators which summarizes SAV results from tested networks, similar in purpose to the CIDR report  which highlights unnecessary deaggregation of IP prefix announcements. We anticipate peer pressure will drive deployment of SAV filters where measurements have revealed the ability of a client in the network to send packets with forged source IP addresses. We will use our SpooferProject twitter account to strategically report test results, similar to how Comcast tweets when DNSSEC validation fails .
2.3 Traffic SAV analysis system
Figure #3 Architecture of IXP-based testing system. Using CAIDA's customer cone inferences, a mapping of switch ports to ASes, and traffic data, we can infer which networks have deployed SAV.
- Comcast DNS Twitter Account. https://twitter.com/ComcastDNS.
- OpenWrt: Wireless freedom. http://openwrt.org/.
- F. Baker and P. Savola. Ingress filtering for multihomed networks, March 2004. IETF BCP84, RFC 3704.
- S.M. Bellovin. Security problems in the TCP/IP protocol suite. ACM/SIGCOMM Computer Communication Review (CCR), 19(2):32-48, April 1989.
- Robert Beverly. Spoofer project: State of ip spoofing. http://spoofer.cmand.org/summary.php.
- Robert Beverly and Steven Bauer. The spoofer project: Inferring the extent of source address filtering on the Internet. In Proceedings of USENIX SRUTI, July 2005.
- Robert Beverly and Steven Bauer. Tracefilter: A tool for locating network source address validation filters. In USENIX Security Poster, August 2007.
- Robert Beverly, Arthur Berger, Young Hyun, and k claffy. Understanding the efficacy of deployed Internet source address validation filtering. In Proceedings of the 9th ACM SIGCOMM Internet Measurement Conference, November 2009.
- Robert Beverly, Ryan Koga, and kc claffy. Initial longitudinal analysis of IP source spoofing capability on the Internet, July 2013. http://www.internetsociety.org/.
- Peter Bright. Spamhaus DDoS grows to Internet-threatening size, March 2013.
- CAIDA. Cartographic capabilities for critical cyberinfrastructure. DHS S&T contract N66001-12-C-0130.
- Center for Applied Internet Data Analysis. UCSD Network Telescope, 2010. https://www.caida.org/data/passive/network_telescope.
- Alberto Dainotti, Karyn Benson, Alistair King, kc claffy, Michalis Kallitsis, Eduard Glatz, and Xenofontas Dimitropoulos. Estimating Internet address space usage through passive measurements. ACM SIGCOMM Computer Communications Review, 44, Jan. 2014.
- Amogh Dhamdhere, Matthew Luckie, Bradley Huffaker, k claffy, Ahmed Elmokashfi, and Emile Aben. Measuring the deployment of IPv6: Topology, routing and performance. In ACM SIGCOMM Internet measurement Conference, pages 537-559, November 2012.
- P. Ferguson and D. Senie. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing, May 2000. IETF BCP38, RFC 2827.
- Geoff Huston. Cidr report, November 2014. http://www.cidr-report.org/.
- Elisa Jasinska. sFlow - I can feel your traffic, December 2006. 23rd Chaos Communication Congress.
- Matthew Luckie, Bradley Huffaker, Amogh Dhamdhere, Vasileios Giotsas, and k claffy. AS relationships, customer cones, and validation. In ACM SIGCOMM Internet measurement conference, pages 243-256, October 2013.
- David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, and Stefan Savage. Inferring Internet denial-of-service activity. ACM Trans. Comput. Syst., 24, May.
- Matthew Prince. Technical details behind a 400Gbps NTP amplification DDoS attack, February 2014. http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack.
- Zhiyun Qian, Z. Morley Mao, Yinglian Xie, and Fang Yu. Investigation of triangular spamming: A stealthy and efficient spamming technique. In IEEE Security and Privacy, May 2010.
- Albin Sebastian. Default time to live (TTL) values, December 2009. https://www.binbert.com/blog/2009/12/default-time-to-live-ttl-values/.
- Srikanth Sundaresan, Sam Burnett, Nick Feamster, and Walter de Donato. Bismark: A testbed for deploying measurements and applications in broadband access networks. In Proceedings of the USENIX Annual Technical Conference (ATC), June 2014.
- Paul Vixie. Rate-limiting state: The edge of the Internet is an unruly place. ACM Queue, 12(2):1-5, February 2014.
- Wikipedia. List of Internet exchange points by size.
File translated from TEX by T T H, version 3.87.
On 19 Nov 2014, 12:22.