Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis > publications : papers : 2020 : spoofed_traffic_inference_ixps
Spoofed traffic inference at IXPs: Challenges, methods and analysis
L. Müller, M. Luckie, B. Huffaker, k. claffy, and M. Barcellos, "Spoofed traffic inference at IXPs: Challenges, methods and analysis", Computer Networks, vol. 182, Aug 2020.
|   View full paper:    PDF    DOI    |  Citation:    BibTeX   |

Spoofed traffic inference at IXPs: Challenges, methods and analysis

Lucas Müller1, 2
Matthew Luckie3
Bradley Huffaker1
kc claffy1
Marinho Barcellos2, 3

CAIDA, San Diego Supercomputer Center, University of California San Diego


Universidade Federal do Rio Grande do Sul (UFRGS)


University of Waikato

Ascertaining that a network will forward spoofed traffic usually requires an active probing vantage point in that network, effectively preventing a comprehensive view of this global Internet vulnerability. Recently, researchers have proposed using Internet Exchange Points (IXPs) as observatories to detect spoofed packets, by leveraging Autonomous System (AS) topology knowledge extracted from Border Gateway Protocol (BGP) data to infer which source addresses should legitimately appear across parts of the IXP switch fabric. We demonstrate that the existing literature does not capture several fundamental challenges to this approach, including noise in BGP data sources, heuristic AS relationship inference, and idiosyncrasies in IXP interconnectivity fabrics. We propose Spoofer-IX, a novel method to navigate these challenges, leveraging customer cone semantics of AS relationships to guide precise classification of inter-domain traffic as in-cone, out-of- cone (spoofed), unverifiable, bogon, and unassigned. We apply our method in three distinct periods to two IXPs, with 200+ and 1,600+ members each, and find an upper bound volume of out-of-cone traffic to be more than an order of magnitude less than the previous method inferred on the same data, revealing the practical importance of customer cone semantics in such analysis. We observed no significant improvement in deployment of Source Address Validation (SAV) in networks using the mid-size IXP between 2017 and 2019. In hopes that our methods and tools generalize to use by other IXPs who want to avoid use of their infrastructure for launching spoofed-source DoS attacks, we explore the feasibility of scaling the system to larger and more diverse IXP infrastructures. To promote this goal, and broad replicability of our results, we make the source code of Spoofer-IX publicly available.

Keywords: active data analysis, routing
  Last Modified: Mon Sep-14-2020 22:17:58 UTC
  Page URL: