Using Loops Observed in Traceroute to Infer the Ability to Spoof

Lone, Qasim; Luckie, Matthew; Korczyński, Maciej; Eeten, Michel van

doi:10.1007/978-3-319-54328-4_17

Cited by 26 publications

(24 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…• Autonomous systems: while based on a few received queries, we cannot by any means conclude on the filtering policies of the whole AS-they reveal SAV compliance for a part of it [3,4,18,19].…”

Section: Filtering Levelsmentioning

confidence: 99%

“…The reasons for not performing packet filtering include incidentally filtering out legitimate traffic, equipment limitations, and lack of a direct economic benefit. The last aspect assumes outbound SAV when the deployed network can become an attack source but cannot [20,15] outbound absence yes yes Traceroute loops [18] outbound absence yes yes Passive detection [16,21] outbound both no no Our method [5] inbound both yes no be attacked itself. Performing inbound SAV protects networks from, for example, the threats described above, which is beneficial from the economic perspective.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

Korczyński

Nosyk

Lone

et al. 2020

Passive and Active Measurement

Self Cite

View full text Add to dashboard Cite

This paper concerns the problem of the absence of ingress filtering at the network edge, one of the main causes of important network security issues. Numerous network operators do not deploy the best current practice-Source Address Validation (SAV) that aims at mitigating these issues. We perform the first Internet-wide active measurement study to enumerate networks not filtering incoming packets by their source address. The measurement method consists of identifying closed and open DNS resolvers handling requests coming from the outside of the network with the source address from the range assigned inside the network under the test. The proposed method provides the most complete picture of the inbound SAV deployment state at network providers. We reveal that 32 673 Autonomous Systems (ASes) and 197 641 Border Gateway Protocol (BGP) prefixes are vulnerable to spoofing of inbound traffic. Finally, using the data from the Spoofer project and performing an open resolver scan, we compare the filtering policies in both directions.

show abstract

Section: Filtering Levelsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

Korczyński

Nosyk

Lone

et al. 2020

Passive and Active Measurement

Self Cite

View full text Add to dashboard Cite

show abstract

“…There exist methods aimed at enumerating networks without packet filtering [1][2][3][8][9][10][11][12][13][14][15]. However, a great majority of the existing work concentrates on outbound SAV, the root of DDoS attacks [8].…”

Section: Introductionmentioning

confidence: 99%

Inferring the Deployment of Inbound Source Address Validation Using DNS Resolvers

Korczyński

Nosyk

Lone³

et al. 2020

Proceedings of the Applied Networking Research Workshop

Self Cite

View full text Add to dashboard Cite

This paper reports on the first Internet-wide active measurement study to enumerate networks not filtering incoming packets based on their source address. Our method identifies closed and open DNS resolvers handling requests from the outside of the network with the source address in the prefix of the tested network. The study gives the most complete picture of the inbound Source Address Validation deployment at network providers: 32,673 IPv4 ASes and 197,641 IPv4 BGP prefixes are vulnerable to spoofing of inbound traffic. CCS CONCEPTS • Networks → Network measurement; Security.

show abstract

“…When a router receives a packet to an unused portion of internal address space, the destination address may match a default route and return via the router interface that received the packet. In 2017, Lone et al [39] used detection of these persistent forwarding loops to infer networks that did not deploy source address validation (SAV) to filter packets with spoofed source IP addresses; in Fig. 2 1 should discard packets with source address 203.0.113.1 because the address is not valid for that attachment point, i.e., does not match a route via 3 .…”

Section: Introductionmentioning

confidence: 99%

vrfinder

Marder

Luckie

Huffaker

et al. 2020

Proc. ACM Meas. Anal. Comput. Syst.

Self Cite

View full text Add to dashboard Cite

Current methods to analyze the Internet's router-level topology with paths collected using traceroute assume that the source address for each router in the path is either an inbound or off-path address on each router. In this work, we show that outbound addresses are common in our Internet-wide traceroute dataset collected by CAIDA's Ark vantage points in January 2020, accounting for 1.7%-5.8% of the addresses seen at some point before the end of a traceroute. This phenomenon can lead to mistakes in Internet topology analysis, such as inferring router ownership and identifying interdomain links. We hypothesize that the primary contributor to outbound addresses is Layer 3 Virtual Private Networks (L3VPNs), and propose vrfinder, a technique for identifying L3VPN outbound addresses in traceroute collections. We validate vrfinder against ground truth from two large research and education networks, demonstrating high precision (100.0%) and recall (82.1%-95.3%). We also show the benefit of accounting for L3VPNs in traceroute analysis through extensions to bdrmapIT, increasing the accuracy of its router ownership inferences for L3VPN outbound addresses from 61.5%-79.4% to 88.9%-95.5%.

show abstract

Using Loops Observed in Traceroute to Infer the Ability to Spoof

Cited by 26 publications

References 12 publications

Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

Inferring the Deployment of Inbound Source Address Validation Using DNS Resolvers

vrfinder

Contact Info

Product

Resources

About