Network Hygiene, Incentives, and Regulation

Luckie, Matthew; Beverly, Robert; Koga, Ryan; Keys, Ken; Kroll, Joshua A.; Claffy, Kimberly C.

doi:10.1145/3319535.3354232

Cited by 51 publications

(26 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It can be divided into inbound source address validation (ISAV) and outbound source address validation (OSAV) [22], [14], [41]. While a majority of observed networks (∼85% prefixes and ∼70% autonomous systems) have deployed OSAV according to the Spoofer project [47], [9], [6], the lack of ISAV is much more pervasive [14], [41]. Therefore, it is crucial to understand the Internet-wide ISAV deployment.…”

Section: Measuring Deployment Of Inbound Source Addressmentioning

confidence: 99%

“…While previous work for ISAV deployment measurements mainly relied on in-network volunteers [47], [9], [6] or DNS resolvers [41], [14], all of our measurements can be performed from one local vantage point with better coverage, and do not rely on in-network volunteers or in-network open DNS servers. Our measurements cover ∼9.7k ASes, finding that ∼79% of them are (partially) vulnerable to spoofing, which is the most large-scale measurement study of IPv6 ISAV to date.…”

Section: Measuring Deployment Of Inbound Source Addressmentioning

confidence: 99%

“…IP source address spoofing refers to the process of sending packets having arbitrary IP addresses as their source IP addresses. These spoofed packets are difficult to trace and usually result in reflection and amplification attacks [47], [50], [41], flooding the victim with traffic. For example, a spoofingbased reflection attack against Amazon Web Services in 2020 resulted in record-breaking traffic of 2.3 Tbps [69].…”

Section: B Sav and Its Measurementmentioning

confidence: 99%

“…Since the source address of inbound packets is unlikely to belong to the destination network, ISAV filters such packets to reduce the potential risk of spoofing-based attacks. Measurement studies already show that lack of ISAV is much more severe than OSAV [47], [9], [14], [41].…”

Section: B Sav and Its Measurementmentioning

confidence: 99%

See 3 more Smart Citations

Your Router is My Prober: Measuring IPv6 Networks via ICMP Rate Limiting Side Channels

Pan¹,

Yang²,

Wang³

et al. 2023

Proceedings 2023 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Active Internet measurements face challenges when some measurements require many remote vantage points. In this paper, we propose a novel technique for measuring remote IPv6 networks via side channels in ICMP rate limiting, a required function for IPv6 nodes to limit the rate at which ICMP error messages are generated. This technique, IVANTAGE, can to some extent use 1.1M remote routers distributed in 9.5k autonomous systems and 182 countries as our "vantage points". We apply IVANTAGE to two different, but both challenging measurement tasks: 1) measuring the deployment of inbound source address validation (ISAV) and 2) measuring reachability between arbitrary Internet nodes. We accomplish these two tasks from only one local vantage point without controlling the targets or relying on other services within the target networks. Our large-scale ISAV measurements cover ∼50% of all IPv6 autonomous systems and find ∼79% of them are vulnerable to spoofing, which is the most large-scale measurement study of IPv6 ISAV to date. Our method for reachability measurements achieves over 80% precision and recall in our evaluation. Finally, we perform an Internet-wide measurement of the ICMP rate limiting implementations, present a detailed discussion on ICMP rate limiting, particularly the potential security and privacy risks in the mechanism of ICMP rate limiting, and provide possible mitigation measures. We make our code available to the community.

show abstract

Section: Measuring Deployment Of Inbound Source Addressmentioning

confidence: 99%

Section: Measuring Deployment Of Inbound Source Addressmentioning

confidence: 99%

Section: B Sav and Its Measurementmentioning

confidence: 99%

Section: B Sav and Its Measurementmentioning

confidence: 99%

See 2 more Smart Citations

Your Router is My Prober: Measuring IPv6 Networks via ICMP Rate Limiting Side Channels

Pan¹,

Yang²,

Wang³

et al. 2023

Proceedings 2023 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Thus, DNS packets with spoofed IP addresses can leave the network. Recent work showed that such misconfigured networks are still not uncommon on the Internet[33,31] and they are publicly listed[8]. The attacker does not have any special hardware or software requirements, because a single DNS packet, occasionally resent, is enough to keep the loop going.…”

mentioning

confidence: 99%

Routing Loops as Mega Amplifiers for DNS-Based DDoS Attacks

Nosyk

Korczyński

Duda

2022

Passive and Active Measurement

View full text Add to dashboard Cite

DDoS attacks are one of the biggest threats to the modern Internet as their magnitude is constantly increasing. They are highly effective because of the amplification and reflection potential of different Internet protocols. In this paper, we show how a single DNS query triggers a response packet flood to the query source, possibly because of middleboxes located in networks with routing loops. We send DNS A requests to 3 billion routable IPv4 hosts and find 15,909 query destinations from 1,742 autonomous systems that trigger up to 46.7 million repeating responses. We perform traceroute measurements towards destination hosts that resulted in the highest amplification, locate 115 routing loops on the way, and notify corresponding network operators. Finally, we analyze two years of historical scan data and find that such "mega amplifiers" are prevalent. In the worst case, a single DNS A request triggered 655 million responses, all returned to a single host.

show abstract

Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

Korczyński

Nosyk

Lone

et al. 2020

Passive and Active Measurement

View full text Add to dashboard Cite

This paper concerns the problem of the absence of ingress filtering at the network edge, one of the main causes of important network security issues. Numerous network operators do not deploy the best current practice-Source Address Validation (SAV) that aims at mitigating these issues. We perform the first Internet-wide active measurement study to enumerate networks not filtering incoming packets by their source address. The measurement method consists of identifying closed and open DNS resolvers handling requests coming from the outside of the network with the source address from the range assigned inside the network under the test. The proposed method provides the most complete picture of the inbound SAV deployment state at network providers. We reveal that 32 673 Autonomous Systems (ASes) and 197 641 Border Gateway Protocol (BGP) prefixes are vulnerable to spoofing of inbound traffic. Finally, using the data from the Spoofer project and performing an open resolver scan, we compare the filtering policies in both directions.

show abstract

Network Hygiene, Incentives, and Regulation

Cited by 51 publications

References 34 publications

Your Router is My Prober: Measuring IPv6 Networks via ICMP Rate Limiting Side Channels

Your Router is My Prober: Measuring IPv6 Networks via ICMP Rate Limiting Side Channels

Routing Loops as Mega Amplifiers for DNS-Based DDoS Attacks

Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

Contact Info

Product

Resources

About