Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

Maciej Korczyński; Yevheniya Nosyk; Qasim Lone; Marcin Skwarek; Baptiste Jonglez; Andrzej Duda

doi:10.1007/978-3-030-44081-7_7

Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

Maciej Korczyński^*, Yevheniya Nosyk, Qasim Lone, Marcin Skwarek, Baptiste Jonglez, Andrzej Duda

^*Corresponding author for this work

Organisation & Governance

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

17 Citations (Scopus)

Abstract

This paper concerns the problem of the absence of ingress filtering at the network edge, one of the main causes of important network security issues. Numerous network operators do not deploy the best current practice—Source Address Validation (SAV) that aims at mitigating these issues. We perform the first Internet-wide active measurement study to enumerate networks not filtering incoming packets by their source address. The measurement method consists of identifying closed and open DNS resolvers handling requests coming from the outside of the network with the source address from the range assigned inside the network under the test. The proposed method provides the most complete picture of the inbound SAV deployment state at network providers. We reveal that 32 673 Autonomous Systems (ASes) and 197 641 Border Gateway Protocol (BGP) prefixes are vulnerable to spoofing of inbound traffic. Finally, using the data from the Spoofer project and performing an open resolver scan, we compare the filtering policies in both directions.

Original language	English
Title of host publication	Passive and Active Measurement - 21st International Conference, PAM 2020, Proceedings
Editors	Anna Sperotto, Alberto Dainotti, Burkhard Stiller
Publisher	SpringerOpen
Pages	107-121
Number of pages	15
ISBN (Print)	9783030440800
DOIs	https://doi.org/10.1007/978-3-030-44081-7_7
Publication status	Published - 2020
Event	21st International Conference on Passive and Active Measurement, PAM 2020 - Eugene, United States Duration: 30 Mar 2020 → 31 Mar 2020

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	12048 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	21st International Conference on Passive and Active Measurement, PAM 2020
Country/Territory	United States
City	Eugene
Period	30/03/20 → 31/03/20

Keywords

DNS resolvers
IP spoofing
Source Address Validation

Access to Document

10.1007/978-3-030-44081-7_7

Cite this

Korczyński, M., Nosyk, Y., Lone, Q., Skwarek, M., Jonglez, B., & Duda, A. (2020). Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic. In A. Sperotto, A. Dainotti, & B. Stiller (Eds.), Passive and Active Measurement - 21st International Conference, PAM 2020, Proceedings (pp. 107-121). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12048 LNCS). SpringerOpen. https://doi.org/10.1007/978-3-030-44081-7_7

Korczyński, Maciej ; Nosyk, Yevheniya ; Lone, Qasim et al. / Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic. Passive and Active Measurement - 21st International Conference, PAM 2020, Proceedings. editor / Anna Sperotto ; Alberto Dainotti ; Burkhard Stiller. SpringerOpen, 2020. pp. 107-121 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{2d398a7956bd4961a62f4dfa90b83ad8,

title = "Don{\textquoteright}t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic",

abstract = "This paper concerns the problem of the absence of ingress filtering at the network edge, one of the main causes of important network security issues. Numerous network operators do not deploy the best current practice—Source Address Validation (SAV) that aims at mitigating these issues. We perform the first Internet-wide active measurement study to enumerate networks not filtering incoming packets by their source address. The measurement method consists of identifying closed and open DNS resolvers handling requests coming from the outside of the network with the source address from the range assigned inside the network under the test. The proposed method provides the most complete picture of the inbound SAV deployment state at network providers. We reveal that 32 673 Autonomous Systems (ASes) and 197 641 Border Gateway Protocol (BGP) prefixes are vulnerable to spoofing of inbound traffic. Finally, using the data from the Spoofer project and performing an open resolver scan, we compare the filtering policies in both directions.",

keywords = "DNS resolvers, IP spoofing, Source Address Validation",

author = "Maciej Korczy{\'n}ski and Yevheniya Nosyk and Qasim Lone and Marcin Skwarek and Baptiste Jonglez and Andrzej Duda",

year = "2020",

doi = "10.1007/978-3-030-44081-7_7",

language = "English",

isbn = "9783030440800",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "SpringerOpen",

pages = "107--121",

editor = "Anna Sperotto and Alberto Dainotti and Burkhard Stiller",

booktitle = "Passive and Active Measurement - 21st International Conference, PAM 2020, Proceedings",

note = "21st International Conference on Passive and Active Measurement, PAM 2020 ; Conference date: 30-03-2020 Through 31-03-2020",

}

Korczyński, M, Nosyk, Y, Lone, Q, Skwarek, M, Jonglez, B & Duda, A 2020, Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic. in A Sperotto, A Dainotti & B Stiller (eds), Passive and Active Measurement - 21st International Conference, PAM 2020, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 12048 LNCS, SpringerOpen, pp. 107-121, 21st International Conference on Passive and Active Measurement, PAM 2020, Eugene, United States, 30/03/20. https://doi.org/10.1007/978-3-030-44081-7_7

Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic. / Korczyński, Maciej; Nosyk, Yevheniya; Lone, Qasim et al.
Passive and Active Measurement - 21st International Conference, PAM 2020, Proceedings. ed. / Anna Sperotto; Alberto Dainotti; Burkhard Stiller. SpringerOpen, 2020. p. 107-121 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12048 LNCS).

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

TY - GEN

T1 - Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

AU - Korczyński, Maciej

AU - Nosyk, Yevheniya

AU - Lone, Qasim

AU - Skwarek, Marcin

AU - Jonglez, Baptiste

AU - Duda, Andrzej

PY - 2020

Y1 - 2020

N2 - This paper concerns the problem of the absence of ingress filtering at the network edge, one of the main causes of important network security issues. Numerous network operators do not deploy the best current practice—Source Address Validation (SAV) that aims at mitigating these issues. We perform the first Internet-wide active measurement study to enumerate networks not filtering incoming packets by their source address. The measurement method consists of identifying closed and open DNS resolvers handling requests coming from the outside of the network with the source address from the range assigned inside the network under the test. The proposed method provides the most complete picture of the inbound SAV deployment state at network providers. We reveal that 32 673 Autonomous Systems (ASes) and 197 641 Border Gateway Protocol (BGP) prefixes are vulnerable to spoofing of inbound traffic. Finally, using the data from the Spoofer project and performing an open resolver scan, we compare the filtering policies in both directions.

AB - This paper concerns the problem of the absence of ingress filtering at the network edge, one of the main causes of important network security issues. Numerous network operators do not deploy the best current practice—Source Address Validation (SAV) that aims at mitigating these issues. We perform the first Internet-wide active measurement study to enumerate networks not filtering incoming packets by their source address. The measurement method consists of identifying closed and open DNS resolvers handling requests coming from the outside of the network with the source address from the range assigned inside the network under the test. The proposed method provides the most complete picture of the inbound SAV deployment state at network providers. We reveal that 32 673 Autonomous Systems (ASes) and 197 641 Border Gateway Protocol (BGP) prefixes are vulnerable to spoofing of inbound traffic. Finally, using the data from the Spoofer project and performing an open resolver scan, we compare the filtering policies in both directions.

KW - DNS resolvers

KW - IP spoofing

KW - Source Address Validation

UR - http://www.scopus.com/inward/record.url?scp=85082990100&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-44081-7_7

DO - 10.1007/978-3-030-44081-7_7

M3 - Conference contribution

AN - SCOPUS:85082990100

SN - 9783030440800

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 107

EP - 121

BT - Passive and Active Measurement - 21st International Conference, PAM 2020, Proceedings

A2 - Sperotto, Anna

A2 - Dainotti, Alberto

A2 - Stiller, Burkhard

PB - SpringerOpen

T2 - 21st International Conference on Passive and Active Measurement, PAM 2020

Y2 - 30 March 2020 through 31 March 2020

ER -

Korczyński M, Nosyk Y, Lone Q, Skwarek M, Jonglez B, Duda A. Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic. In Sperotto A, Dainotti A, Stiller B, editors, Passive and Active Measurement - 21st International Conference, PAM 2020, Proceedings. SpringerOpen. 2020. p. 107-121. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-44081-7_7

Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cybersecurity (TPM)

Cite this

Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Projects

Cybersecurity (TPM)

Cite this