ip spoofing defense
DESCRIPTION
IP Spoofing Defense. On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon. Outlines. IP Spoofing. Impersonation. Reflection. Hiding. IP Spoofing Defense. host-based Defense Methods. Cryptographic Solutions. SYN Cookies. IP Puzzles. - PowerPoint PPT PresentationTRANSCRIPT
IP Spoofing Defense
On the State of IP Spoofing Defense
TOBY EHRENKRANZ and JUN LIUniversity of Oregon
1IP Spoofing Defense
Outlines
IP Spoofing
IP Spoofing Defense
host-based Defense Methods
Router-Based Defense Methods
Hybrid Defenses
References
Impersonation
Hiding
Reflection
Cryptographic Solutions
SYN CookiesIP Puzzles
Ingress/Egress Filtering Distributed Packet Filtering (DPF)Source Address Validity Enforcement (SAVE)
Pi
2IP Spoofing Defense
IP Spoofing
Introduction
Definition
Creation of IP packets with source addresses different than thoseassigned to that host.
Malicious use of IP Spoofing
Impersonation
Hiding
Reflection
• Session hijack or reset
• Flood attack
• IP reflected attack
3IP Spoofing Defense
Session hijack or reset
Impersonation
Attacker
IP spoofed packet
Src: PartnerDst: Victim Src: Victim
Dst: Partner
Assumes the partner has sent a packet,
starts responding
Partner
Victim
4IP Spoofing Defense
Flood attack
Attacker
Victim
Src: RandomDst: Victim
Hiding
5IP Spoofing Defense
Reflection
Smurf attacks
DNS amplification attacks
IP spoofing (reflection)
DNS query
DNS amplification
Src: VictimDst: Reflector
IP spoofed packet
A lot of reply without request
Src: ReflectorDst: Victim
Reply
Reflector
Victim
Attacker
6IP Spoofing Defense
IP Reflected Attacks
7IP Spoofing Defense
DNS Amplification Attack
8IP Spoofing Defense
IP Spoofing Defense
Three classes of solutions
1 Host-based solutions
No need to change network infrastructureEasy to deploy Too late for their reaction
Router-based solutions
Core or edge solutions
Harder to deploy
Most effective
Hybrid solutions
Routers + hosts
9IP Spoofing Defense
Cryptographic Solutions
Host-based solutions
Require hand-shaking to set up secret keys between two hosts
Communication between the two hosts can be encrypted
Attacker cannot successfully spoof packets to create connection
While IPSec is effective in many cases, it has some drawbacks
Handshaking fails
It is not feasible to require all hosts to connect through IPSecEncryption cost( time )Encryption reduce the performance
10IP Spoofing Defense
SYN Cookies
Some servers use SYN cookies to prevent opening connections tospoofed source addresses
The server with SYN cookies does not allocate resources until the3-way handshake is complete
How Does It Work?
Server sends SYN+ACK with cookies V
When it receives client’s response, it checks the V
If it is cookie value + 1 ⇒ it creates the connection
11IP Spoofing Defense
IP Puzzles
A server sends an IP puzzle to a client
The client solves the puzzle by some computational task
The server allows to connect only after receiving the correct solution.
The puzzle is sent to the listed hosts, not the attacker
From the listed hosts ⇒ not the attacker
12IP Spoofing Defense
Router-Based Defense Methods
most host-based methods can be used in routers
IPSec and IP puzzles have been used in routers
13IP Spoofing Defense
Ingress/Egress Filtering
Filtering packets before
The key is the knowledge of expected IP address at a particular port
Reverse Path filtering can help to build this knowledge
coming to local network ⇒ ingress filtering
before leaving local network ⇒ egress filtering
It is not easy to obtain this knowledge in some networks with complicated topologies
A router knows which networks are reachable from any of its interfaces.
• This is routing table
14IP Spoofing Defense
Ingress/Egress Filtering
Drawbacks:
Hard to deployment
It can not stop local spoofing
RPF may drop legitimate packets
With less than 100% deployment, IEF is ineffective
15IP Spoofing Defense
Distributed Packet Filtering (DPF)
Routers throughout the network maintain the incoming direction of a packet through their interfaces
Which interface receives an packet with a particular source address
A router can detect a spoofing packet if it arrives on a different interface
This limits the number of addresses attackers can use
16IP Spoofing Defense
Source Address Validity Enforcement (SAVE)
Filters packets based on their incoming direction
Every router maintains and update its own incoming table
SAVE assumes all router deploy SAVE
Not feasible
17IP Spoofing Defense
Hybrid Defenses
Utilizes both routers and hosts solutions
Routers mark packets as they travel
Hosts can take actions
18IP Spoofing Defense
19
Path identifier (Pi) was originally designed to defend against DoS attacksIt also provides an IP spoofing defense
Pi uses IP fragmentation field to identify the path a packet traveledThe fragmentation field is marked along the path
Each router along the path sets a bit of the fragmentation field
When a packet reaches its destination the fragmentation field containsa marking that is almost unique
The end-host does not know the path a packet has traveled, butif multiple packets have the same marking bits set, then
• it is highly likely that they have traveled the same path
Packets with the same source address, but different marking can be filtered
Path identifier
IP Spoofing Defense
21
References
On the state of IP spoofing defense.
ACM Transactions on Internet Technology (TOIT), 9(2):6:1–6:??, May 2009.
Network security class
http://www.wikipedia.org/
IP Spoofing Defense