Using loops observed in traceroute to infer the ability to spoof

Qasim Lone; Matthew Luckie; Maciej Korczyński; Michel Van Eeten

doi:10.1007/978-3-319-54328-4_17

Using loops observed in traceroute to infer the ability to spoof

Qasim Lone^*, Matthew Luckie, Maciej Korczyński, Michel Van Eeten

^*Corresponding author for this work

Organisation & Governance

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

13 Citations (Scopus)

97 Downloads (Pure)

Abstract

Despite source IP address spoofing being a known vulnerability for at least 25 years, and despite many efforts to shed light on the problem, spoofing remains a popular attack method for redirection, amplification, and anonymity. To defeat these attacks requires operators to ensure their networks filter packets with spoofed source IP addresses, known as source address validation (SAV), best deployed at the edge of the network where traffic originates. In this paper, we present a new method using routing loops appearing in traceroute data to infer inadequate SAV at the transit provider edge, where a provider does not filter traffic that should not have come from the customer. Our method does not require a vantage point within the customer network. We present and validate an algorithm that identifies at Internet scale which loops imply a lack of ingress filtering by providers. We found 703 provider ASes that do not implement ingress filtering on at least one of their links for 1,780 customer ASes. Most of these observations are unique compared to the existing methods of the Spoofer and Open Resolver projects. By increasing the visibility of the networks that allow spoofing, we aim to strengthen the incentives for the adoption of SAV.

Original language	English
Title of host publication	Passive and Active Measurement - 18th International Conference, PAM 2017, Proceedings
Editors	Steve Uhlig, Johanna Amann, Mohamed Ali Kaafar
Publisher	Springer
Pages	229-241
Number of pages	13
ISBN (Print)	9783319543277
DOIs	https://doi.org/10.1007/978-3-319-54328-4_17
Publication status	Published - 2017
Event	18th International Conference on Passive and Active Measurement, PAM 2017 - Sydney, Australia Duration: 30 Mar 2017 → 31 Mar 2017

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	10176 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	18th International Conference on Passive and Active Measurement, PAM 2017
Country/Territory	Australia
City	Sydney
Period	30/03/17 → 31/03/17

Access to Document

10.1007/978-3-319-54328-4_17

Camera_ready__Using_Loops_Observed_in_Traceroute_to_Infer_Ability_to_SpoofAccepted author manuscript, 281 KB

Cite this

Lone, Q., Luckie, M., Korczyński, M., & Van Eeten, M. (2017). Using loops observed in traceroute to infer the ability to spoof. In S. Uhlig, J. Amann, & M. A. Kaafar (Eds.), Passive and Active Measurement - 18th International Conference, PAM 2017, Proceedings (pp. 229-241). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10176 LNCS). Springer. https://doi.org/10.1007/978-3-319-54328-4_17

Lone, Qasim ; Luckie, Matthew ; Korczyński, Maciej et al. / Using loops observed in traceroute to infer the ability to spoof. Passive and Active Measurement - 18th International Conference, PAM 2017, Proceedings. editor / Steve Uhlig ; Johanna Amann ; Mohamed Ali Kaafar. Springer, 2017. pp. 229-241 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{9ca1d658effe4569a6020a65617c5633,

title = "Using loops observed in traceroute to infer the ability to spoof",

abstract = "Despite source IP address spoofing being a known vulnerability for at least 25 years, and despite many efforts to shed light on the problem, spoofing remains a popular attack method for redirection, amplification, and anonymity. To defeat these attacks requires operators to ensure their networks filter packets with spoofed source IP addresses, known as source address validation (SAV), best deployed at the edge of the network where traffic originates. In this paper, we present a new method using routing loops appearing in traceroute data to infer inadequate SAV at the transit provider edge, where a provider does not filter traffic that should not have come from the customer. Our method does not require a vantage point within the customer network. We present and validate an algorithm that identifies at Internet scale which loops imply a lack of ingress filtering by providers. We found 703 provider ASes that do not implement ingress filtering on at least one of their links for 1,780 customer ASes. Most of these observations are unique compared to the existing methods of the Spoofer and Open Resolver projects. By increasing the visibility of the networks that allow spoofing, we aim to strengthen the incentives for the adoption of SAV.",

author = "Qasim Lone and Matthew Luckie and Maciej Korczy{\'n}ski and {Van Eeten}, Michel",

year = "2017",

doi = "10.1007/978-3-319-54328-4_17",

language = "English",

isbn = "9783319543277",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "229--241",

editor = "Steve Uhlig and Johanna Amann and Kaafar, {Mohamed Ali}",

booktitle = "Passive and Active Measurement - 18th International Conference, PAM 2017, Proceedings",

note = "18th International Conference on Passive and Active Measurement, PAM 2017 ; Conference date: 30-03-2017 Through 31-03-2017",

}

Lone, Q, Luckie, M, Korczyński, M & Van Eeten, M 2017, Using loops observed in traceroute to infer the ability to spoof. in S Uhlig, J Amann & MA Kaafar (eds), Passive and Active Measurement - 18th International Conference, PAM 2017, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10176 LNCS, Springer, pp. 229-241, 18th International Conference on Passive and Active Measurement, PAM 2017, Sydney, Australia, 30/03/17. https://doi.org/10.1007/978-3-319-54328-4_17

Using loops observed in traceroute to infer the ability to spoof. / Lone, Qasim; Luckie, Matthew; Korczyński, Maciej et al.
Passive and Active Measurement - 18th International Conference, PAM 2017, Proceedings. ed. / Steve Uhlig; Johanna Amann; Mohamed Ali Kaafar. Springer, 2017. p. 229-241 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10176 LNCS).

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

TY - GEN

T1 - Using loops observed in traceroute to infer the ability to spoof

AU - Lone, Qasim

AU - Luckie, Matthew

AU - Korczyński, Maciej

AU - Van Eeten, Michel

PY - 2017

Y1 - 2017

N2 - Despite source IP address spoofing being a known vulnerability for at least 25 years, and despite many efforts to shed light on the problem, spoofing remains a popular attack method for redirection, amplification, and anonymity. To defeat these attacks requires operators to ensure their networks filter packets with spoofed source IP addresses, known as source address validation (SAV), best deployed at the edge of the network where traffic originates. In this paper, we present a new method using routing loops appearing in traceroute data to infer inadequate SAV at the transit provider edge, where a provider does not filter traffic that should not have come from the customer. Our method does not require a vantage point within the customer network. We present and validate an algorithm that identifies at Internet scale which loops imply a lack of ingress filtering by providers. We found 703 provider ASes that do not implement ingress filtering on at least one of their links for 1,780 customer ASes. Most of these observations are unique compared to the existing methods of the Spoofer and Open Resolver projects. By increasing the visibility of the networks that allow spoofing, we aim to strengthen the incentives for the adoption of SAV.

AB - Despite source IP address spoofing being a known vulnerability for at least 25 years, and despite many efforts to shed light on the problem, spoofing remains a popular attack method for redirection, amplification, and anonymity. To defeat these attacks requires operators to ensure their networks filter packets with spoofed source IP addresses, known as source address validation (SAV), best deployed at the edge of the network where traffic originates. In this paper, we present a new method using routing loops appearing in traceroute data to infer inadequate SAV at the transit provider edge, where a provider does not filter traffic that should not have come from the customer. Our method does not require a vantage point within the customer network. We present and validate an algorithm that identifies at Internet scale which loops imply a lack of ingress filtering by providers. We found 703 provider ASes that do not implement ingress filtering on at least one of their links for 1,780 customer ASes. Most of these observations are unique compared to the existing methods of the Spoofer and Open Resolver projects. By increasing the visibility of the networks that allow spoofing, we aim to strengthen the incentives for the adoption of SAV.

UR - http://www.scopus.com/inward/record.url?scp=85015886209&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-54328-4_17

DO - 10.1007/978-3-319-54328-4_17

M3 - Conference contribution

AN - SCOPUS:85015886209

SN - 9783319543277

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 229

EP - 241

BT - Passive and Active Measurement - 18th International Conference, PAM 2017, Proceedings

A2 - Uhlig, Steve

A2 - Amann, Johanna

A2 - Kaafar, Mohamed Ali

PB - Springer

T2 - 18th International Conference on Passive and Active Measurement, PAM 2017

Y2 - 30 March 2017 through 31 March 2017

ER -

Lone Q, Luckie M, Korczyński M, Van Eeten M. Using loops observed in traceroute to infer the ability to spoof. In Uhlig S, Amann J, Kaafar MA, editors, Passive and Active Measurement - 18th International Conference, PAM 2017, Proceedings. Springer. 2017. p. 229-241. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-54328-4_17

Using loops observed in traceroute to infer the ability to spoof

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cybersecurity (TPM)

Cite this

Using loops observed in traceroute to infer the ability to spoof

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Projects

Cybersecurity (TPM)

Cite this