clouseau: a practical ip spoofing defense through route-based filtering

Clouseau: A practical IP spoofing defense through route-based

filteringJelena Mirkovic, University of

Delaware([email protected])

Nikola Jevtic, Google Inc.Peter Reiher, UCLA

Outline

What is IP spoofing? Why should we care?Route-based filtering (RBF)– Filter packets that come on unexpected path– 97% effective if deployed at few core ASes– Tables must be complete!

Clouseau protocol– Builds tables for RBF and keeps them current in face of route changes

– Sets up spoofed packet filters– Fast and accurate decision, small impact on traffic

What is IP spoofing?

≈

≈≈

1.2.3.4

5.6.7.8

9.10.11.12

From: 1.2.3.4, to: 9.10.11.12

Faking the IP address in the sourcefield of IP header

Andy

Lea

Danny

IP spoofing RBF Clouseau

IP spoofing uses

Hide attacker’s identityInvoke replies to the spoofed address– Reflector DDoS attacks

Create decoy packets that hide attacker’s vulnerability scanningAssume good host’s identity and gain priority service or status


If IP spoofing were reduced

Attacks would be easier to detect and attributeWe could build IP address profiles to track user behavior– Reward good users, punish bad ones

Reflector attacks would be reduced


≈

≈≈

1.2.3.4

5.6.7.8

9.10.11.12

Andy

Lea

Route Based Filtering[RBF]Build incoming tables that store incoming interface for a given source IP. Filter packets that arrive on wrong interface. Tables must be updated upon a route change. Lea’s path could overlap with Andy’s so some spoofing will go undetected.

Danny

[RBF] K. Park, H. Lee,”On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets’” SIGCOMM 2001


Route-based filtering

Route-based filtering

≈

≈≈

1.2.3.4

5.6.7.8

9.10.11.12

Andy

Lea

Danny

1

2

From Interface5.6.7.8 11.2.3.4 2

From: 1.2.3.4, to: 9.10.11.12


RBF effectiveness

If RBF is deployed on the vertex cover of AS map [RBF]– Deployment percentage: 18.9%– Percentage of (s,d) pairs that cannot contain spoofed traffic: 96%

– ASes that cannot spoof: 88%

Downside: 18.9% of ASes is more than 4000!

[RBF] K. Park, H. Lee,”On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets,” SIGCOMM 2001


Open questions

How well does RBF work under sparse deployment?What if incoming tables are incomplete?How to build incoming tables?


Effectiveness measures

We will observe packets sent from s to d, spoofing the address p Target measure (fixed d):– How many (s,p) combinations are possible to this victim

Stolen address measure (fixed p):– How many (s,d) combinations are possible spoofing this address

Spoofability– How many (s,d,p) combinations are possible


Target measure May’05IP spoofing RBF Clouseau

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0 10 20 30 40 50Number of filters

Target measure

filtersPOPallPOPfiltersCONallCON


Stolen address measure May’05

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1


Stolen address measure

filtersPOPallPOPfiltersCONallCON

Spoofability over yearsIP spoofing RBF Clouseau

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1


Spoofability

20012002200320042005

Effectiveness summary

First 20 filters have a considerable impact!50 filters drastically reduce spoofing Filters receive instant benefit from RBF – They reduce their target measure– Stolen address measure is only reduced whenwe deploy enough filters


Filter membership2005 2001 2002 2003 2004 20053356 701 701 7018 7018 33567018 1239 6461 701 3356 7018

701 7018 7018 1239 701 7011239 6461 1239 209 568 1239

209 3561 568 1 1239 209174 1 1 3561 2914 174

7132 2914 2914 2914 174 71323549 209 3561 3549 209 35492914 702 293 3356 7132 2914

702 3549 714 702 6461 702721 174 8918 3257 3549 721

6461 293 209 6461 12956 64613561 3356 174 1668 4134 35613320 9057 3257 3491 721 3320

12956 6453 5673 7911 3320 129563303 4766 6453 4637 17676 33036939 5673 3549 16631 3561 69392516 3908 1103 293 2686 25164637 568 3320 4766 71 4637

13237 2548 702 5511 237 132374589 5650 2686 3908 702 45894766 2686 237 5673 13237 47662828 6172 2647 721 2647 28283491 1755 721 11608 4637 34916453 3320 2828 2686 293 64532686 6347 71 6539 3303 26864323 3786 9057 1299 714 43237911 2828 1668 3320 6939 79116539 1267 80 568 33 65395511 703 4134 3786 5511 55111299 2907 5511 174 2516 12993786 1785 6805 4323 2152 3786

286 3967 7170 2548 4766 2864134 237 3908 6395 80 41341668 5511 3356 2647 15412 16688220 1103 680 6347 4589 82202497 1221 4766 852 6453 24972152 8335 6172 703 1668 21522907 3269 2907 2828 4837 29074713 3215 8434 2907 6762 47133257 4323 1267 4134 2907 32572856 3303 17676 1267 6805 28561221 2497 852 237 1103 12211273 2647 786 7132 680 12731267 5006 3786 3269 1299 1267

22773 577 4538 2856 6539 227731257 4230 5466 3215 786 12576395 714 4637 4713 3292 6395

19262 4134 577 2497 6395 192623269 2856 1299 1221 3491 3269

Persist over 5 years(17)

Persist over 3 years (14)


Long-term members

7018, 2686 AT&T701, 702 UUNET Technologies, Inc.

1239 Sprint 209 Qwest

3561 Savvis 2914 Verio, Inc.3549 Global Crossing6461 Abovenet Communications, Inc3356 Level 3 Communications, LLC

174 Cogent Communications 3320, 5511 RIPE Network Coordination Centre

4766, 4134, 2907 Asia Pacific Network Information Centre


How to build incoming tables

Incoming interface = outgoing interface– Asymmetric routing defeats this

Participating source networks send reports along paths to destinations they talk to[SAVE]– Infer incoming interface from the route the report takes or from report’s info - partial tables!

Infer incoming interface info from BGP updates[IDPF]– This allows multiple expected interfaces

Infer incoming interface info from traffic


Clouseau

Packets at unexpected interface trigger inference processOut of first N packets– Drop random V, store unique ID in DropQueue– Forward N-V, store unique ID in FwQueue

When a packet is repeated:– If in DropQueue, gain 1 valid point– If in FwQueue, gain 1 spoof point

Decision if valid score = V or spoof score = S Inference is banned for a time afterwards


Clouseau in action

≈

≈≈

1

DropQueue

FwQueue

1

Drop!

RC= 0SP = 0

Drop 1,.. Forward 2, 3…


Clouseau in action

≈

≈≈

2

2

Forward!

1

2

RC= 0SP = 0


DropQueue

FwQueue


Clouseau in action

≈

≈≈

3

3

Forward!

1

3

2


DropQueue

FwQueue


Valid = 0Spoof = 0

Clouseau in action

≈

≈≈

1

3

1

1

2

Repeating dropped packets increases valid score

Valid = 1Spoof = 0


DropQueue

FwQueue


Clouseau in action

≈

≈≈

2

3

1

2

2

Repeating forwarded packets increases spoof score


DropQueue

FwQueue


Valid = 1Spoof = 1

Clouseau in action

≈

≈≈

1

3

1

1

2

Repeating dropped packets more than once doesn’t change scores


DropQueue

FwQueue


Valid = 1Spoof = 1

Clouseau in action

≈

≈≈

2

3

1

2

2

Repeating forwarded packets more than once increases spoof score


DropQueue

FwQueue


Valid = 1Spoof = 2

Design decisions

DropQueue size = V, FwQueue size = k*SWhy forwarded queue?– To stop packet-repeating attacker

Should S > 0?– Congestion, sources don’t use selective acks

Why inference ban?– Inference lets packets through, our goal is to filter


Performance measures

Impact on legitimate traffic– Connection delay due to drops and policing

Inference delay– How long until we discover a route change or attack


Test setting

Clouseau implemented in Linux kernel, tested in EmulabStart 10 parallel TCP connections, change route in the middle


IP spoofing RBF ClouseauTraffic delay vs. queue size

80

90

100

110

120

130

140

0 100 200 300 400 500 600N

Connection duration (s)

baseline avg + stdev

baseline avg - stdevpd=V/N=0.1

Inference time vs. queue size


0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

0 100 200 300 400 500 600

N

Inference delay (s)

pd=V/N=0.1


Traffic delay vs. Pd

80

90

100

110

120

130

140

0 0.2 0.4 0.6 0.8 1

Pd

Connection duration (s)

baseline avg + stdev

baseline avg - stdevN=100


Inference time vs. Pd

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

0 0.2 0.4 0.6 0.8 1

Pd

Inference delay (s)

N=100

Attacks

Random spoofing – Detected on timeout

Repeat each packet n times– Best choice: n=2– First packet dropped gain 1 valid point– First packet forwarded damage is 1 spoof point – Larger damage but not larger gain for n>2

Send N packets then repeat a permutation– Attacker knows values of V, S, k– Goal is to trick Clouseau to change incoming interface

– Send N packets then choose a permutation of this– N large enough to guarantee that queues fill


Permutation attack

Good permutations for the attacker:– Have V packets from DropQueue before S packets from FwQueue

Probability that the attacker manages to cheat us

Probability of cheating decreases exponentially with longer queues


Pspoof vs queue size and pd


0

100

200

300

400

500

600

700

800

0 0.2 0.4 0.6 0.8 1

Pd

N

10-10

10-5

10-3

Cascaded filters

Filters downstream will drop packets forwarded by filters upstream– This could lead to route changes that are wrongly inferred as spoofing - legitimate traffic dropped!!!

We must break filter synchronization– Choose random delay when to start inference - synchronization still possible

– Random initial delay, then mark forwarded packets in TOS or ID field with a well-known mark

– Filters that spot marked packets delay or interrupt inference, wait for T seconds

– Maximum wait is set to several minutes, then start inference even if mark is seen


Remaining design issues

Spoofing attacks could still go through if they change spoofed address frequently– We only care if part of DDoS– Examine offending packets, if a lot of them have common destination detect DDoS drop all offending traffic to this destination

Operating cost– Memory cost could be large if all entries go into inference

– There are ~35K incoming table entries, when aggregated

– We plan to investigate use of Bloom filters to bring down the memory cost


Conclusions

RBF can drastically reduce spoofing if deployed at 20-50 largest ASes (60% are top members for at least 3 years)Clouseau builds accurate incoming tables Quickly detects route changes/spoofing – Small impact on legitimate connections

Robust to attacks


Questions?

Vertex Cover

Choose minimal number of nodes so that alllinks have at least one node in VC. NPC problem.

Vertex Cover

Heuristic: First choose nodes with leaf neighbors, thenchoose enough nodes to cover remaining links.

clouseau: a practical ip spoofing defense through route-based filtering

Documents

rbf clouseauif ip spoofing

spoofing filters

rbf clouseauspoofability

rbf clouseauip

rbf work

practical ip spoofing

ip address profiles

given source ip