research-article

Detection, classification, and analysis of inter-domain traffic with spoofed source IP addresses

Authors:

Franziska Lichtblau,

Florian Streibelt,

Thorben Krüger,

Philipp Richter,

Anja FeldmannAuthors Info & Claims

IMC '17: Proceedings of the 2017 Internet Measurement Conference

Pages 86 - 99

https://doi.org/10.1145/3131365.3131367

Published: 01 November 2017 Publication History

Abstract

IP traffic with forged source addresses (i.e., spoofed traffic) enables a series of threats ranging from the impersonation of remote hosts to massive denial-of-service attacks. Consequently, IP address spoofing received considerable attention with efforts to either suppress spoofing, to mitigate its consequences, or to actively measure the ability to spoof in individual networks. However, as of today, we still lack a comprehensive understanding both of the prevalence and the characteristics of spoofed traffic "in the wild" as well as of the networks that inject spoofed traffic into the Internet.

In this paper, we propose and evaluate a method to passively detect spoofed packets in traffic exchanged between networks in the inter-domain Internet. Our detection mechanism identifies both source IP addresses that should never be visible in the inter-domain Internet (i.e., unrouted and bogon sources) as well as source addresses that should not be sourced by individual networks, as inferred from BGP routing information. We apply our method to classify the traffic exchanged between more than 700 networks at a large European IXP. We find that the majority of connected networks do not, or not consistently, filter their outgoing traffic. Filtering strategies and contributions of spoofed traffic vary heavily across networks of different types and sizes. Finally, we study qualitative characteristics of spoofed traffic, regarding both application popularity as well as structural properties of addresses. Combining our observations, we identify and study dominant attack patterns.

References

[1]

Mutually Agreed Norms for Routing Security (MANRS). https://www.routingmanifesto.org/manrs/.

[2]

North American Network Operators' Group. https://www.nanog.org/.

[3]

PeeringDB facilitates the exchange of information related to Peering. https://peeringdb.com/.

[4]

Rapid7 Labs, Project Sonar UDP Scans. https://scans.io/study/sonar.udp.

[5]

RIPE Routing Working Group. https://www.ripe.net/participate/ripe/wg/routing.

[6]

D. G. Andersen, H. Balakrishnan, N. Feamster, T. Koponen, D. Moon, and S. Shenker. Accountable internet protocol (aip). In ACM SIGCOMM, 2008.

Digital Library

[7]

B. Augustin, X. Cuvellier, B. Orgogozo, F. Viger, T. Friedman, M. Latapy, C. Magnien, and R. Teixeira. Avoiding traceroute anomalies with Paris traceroute. In ACM SIGCOMM, 2006.

Digital Library

[8]

F. Baker and P. Savola. Ingress Filtering for Multihomed Networks. RFC 3704 (Best Current Practice), Mar 2004.

Digital Library

[9]

P. Barford, R. Nowak, R. Willett, and V. Yegneswaran. Toward a model for source addresses of internet background radiation. In PAM, 2006.

[10]

R. Beverly and S. Bauer. The Spoofer project: Inferring the extent of source address filtering on the Internet. In USENIX SRUTI, 2005.

Digital Library

[11]

R. Beverly, A. Berger, Y. Hyun, and kc claffy. Understanding the Efficacy of Deployed Internet Source Address Validation Filtering. In ACM IMC, 2009.

Digital Library

[12]

X. Cai, J. Heidemann, B. Krishnamurthy, and W. Willinger. Towards an AS-to-Organization Map. In ACM IMC, 2010.

Digital Library

[13]

CAIDA. Ark Measurement Infrastructure. http://www.caida.org/projects/ark/.

[14]

CAIDA. Spoofer Project. https://www.caida.org/projects/spoofer/.

[15]

Z. Chen, C. Ji, and P. Barford. Spatial-temporal characteristics of internet malicious sources. In IEEE INFOCOM, 2008.

[16]

M. S. Cotton and L. Vegoda. Special Use IPv4 Addresses. RFC 5735, Oct 2015.

[17]

J. Czyz, M. Kallitsis, M. Gharaibeh, C. Papadopoulos, M. Bailey, and M. Karir. Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks. In ACM IMC, 2014.

Digital Library

[18]

J. Czyz, M. Kallitsis, M. Gharaibeh, C. Papadopoulos, M. Bailey, and M. Karir. Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks. In ACM IMC, 2014.

Digital Library

[19]

A. Dainotti, K. Benson, A. King, kc claffy, E. Glatz, and X. Dimitropoulos. Estimating Internet Address Space Usage Through Passive Measurements. ACM SIGCOMM CCR, 44(1), 2014.

Digital Library

[20]

A. Dainotti, K. Benson, A. King, kc claffy, E. Glatz, X. Dimitropoulos, P. Richter, A. Finamore, and A. Snoeren. Lost in Space: Improving Inference of IPv4 Address Space Utilization. Tech. rep., CAIDA, Oct 2014. http://www.caida.org/publications/papers/2014/lost_in_space/.

[21]

J. Durand, I. Pepelnjak, and G. Doering. BGP Operations and Security. RFC 7454 (Best Current Practice), Feb 2015.

[22]

W. Eddy. TCP SYN Flooding Attacks and Common Mitigations. RFC 4987 (Informational), Aug 2007.

[23]

P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2827 (Best Current Practice 38), May 2000. Updated by RFC 3704.

Digital Library

[24]

Y. Gilad and A. Herzberg. LOT: a defense against IP spoofing and flooding attacks. ACM Trans. Computer Systems, 15(2):6, 2012.

Digital Library

[25]

V. Giotsas and S. Zhou. Improving the discovery of IXP peering links through passive BGP measurements. In IEEE INFOCOM. IEEE, 2013.

[26]

B. Huffaker, K. Keys, R. Koga, and M. Luckie. Caida inferred as to organization mapping dataset.

[27]

A. Hussain, J. Heidemann, and C. Papadopoulos. A Framework for Classifying Denial of Service Attacks. In ACM SIGCOMM, 2003.

Digital Library

[28]

M. Kührer, T. Hupperich, J. Bushart, C. Rossow, and T. Holz. Going wild: Large-scale classification of open DNS resolvers. In ACM IMC, 2015.

Digital Library

[29]

M. Kührer, T. Hupperich, C. Rossow, and T. Holz. Exit from Hell? Reducing the Impact of Amplification DDoS Attacks. In USENIX Security, 2014.

[30]

M. Kührer, T. Hupperich, C. Rossow, and T. Holz. Hell of a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks. In WOOT, 2014.

[31]

B. Liu, J. Bi, and A. V. Vasilakos. Toward incentivizing anti-spoofing deployment. IEEE Transactions on Information Forensics and Security (TIFS), 9(3):436--450, 2014.

Digital Library

[32]

B. Liu, J. Bi, and Y. Zhu. A deployable approach for inter-AS anti-spoofing. In IEEE ICNP, 2011.

Digital Library

[33]

X. Liu, A. Li, X. Yang, and D. Wetherall. Passport: Secure and Adoptable Source Authentication. In NSDI, 2008.

Digital Library

[34]

Q. Lone, M. Luckie, M. Korczyński, and M. van Eeten. Using loops observed in traceroute to infer the ability to spoof. In PAM, 2017.

[35]

M. Luckie, B. Huffaker, kc claffy, A. Dhamdhere, and V. Giotsas. AS Relationships, Customer Cones, and Validation. In ACM IMC, 2013.

Digital Library

[36]

M. Luckie, K. Keys, R. Koga, B. Huffaker, R. Beverly, and kc claffy. Software systems for surveying spoofing susceptibility, 2016.

[37]

R. Miao, R. Potharaju, M. Yu, and N. Jain. The Dark Menace: Characterizing Network-based Attacks in the Cloud. In ACM IMC. ACM, 2015.

Digital Library

[38]

J. Mirkovic and E. Kissel. Comparative Evaluation of Spoofing Defenses. IEEE Trans. Dependable Secur. Comput., 8(2):218--232, Mar 2011.

Digital Library

[39]

D. Moore, C. Shannon, D. J. Brown, G. M. Voelker, and S. Savage. Inferring internet denial-of-service activity. ACM Transactions on Computer Systems (TOCS), 24(2):115--139, 2006.

Digital Library

[40]

R. T. Morris. A Weakness in the 4.2BSD Unix TCP/IP Software, 1985.

[41]

G. Moura, R. de O. Schmidt, J. Heidemann, W. B. de Vries, M. Muller, L. Wei, and C. Hesselman. Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event. In ACM IMC, 2016.

Digital Library

[42]

C. Perkins. IP Mobility Support for IPv4. RFC 3344 (Proposed Standard), Aug 2002. Obsoleted by RFC 5944, updated by RFCs 4636, 4721.

Digital Library

[43]

Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, and E. Lear. Address Allocation for Private Internets. RFC 1918 (Best Current Practice), Feb 1996. Updated by RFC 6761.

Digital Library

[44]

P. Richter, M. Allman, R. Bush, and V. Paxson. A Primer on IPv4 Scarcity. ACM Computer Communication Review, 45(2), 2015.

Digital Library

[45]

P. Richter, N. Chatzis, G. Smaragdakis, A. Feldmann, and W. Willinger. Distilling the Internet's Application Mix from Packet-Sampled Traffic. In PAM, 2015.

[46]

P. Richter, G. Smaragdakis, A. Feldmann, N. Chatzis, J. Boettger, and W. Willinger. Peering at Peerings: On the Role of IXP Route Servers. In ACM IMC, 2014.

Digital Library

[47]

RIPE NCC. RIPE Routing Information Service (RIS). https://www.ripe.net/analyse/internet-measurements/routing-information-service-ris.

[48]

C. Rossow. Amplification hell: Revisiting network protocols for DDoS abuse. In NDSS, 2014.

[49]

R. Sinha, C. Papadopoulos, and J. Heidemann. Internet Packet Size Distributions: Some Observations. Technical Report ISI-TR-2007-643, USC/Information Sciences Institute, May 2007. Orignally released October 2005 as web page http://netweb.usc.edu/%7ersinha/pkt-sizes/.

[50]

F. Soldo, A. Markopoulou, and K. Argyraki. Optimal Filtering of Source Address Prefixes: Models and Algorithms. In IEEE INFOCOM, 2009.

[51]

TeamCymru. THE BOGON REFERENCE. http://www.team-cymru.org/bogon-reference.html.

[52]

University of Oregon. Route Views Project. http://bgplay.routeviews.org.

[53]

J. Weil, V. Kuarsingh, C. Donley, C. Liljenstolpe, and M. Azinger. IANA-Reserved IPv4 Prefix for Shared Address Space. RFC 6598 (Best Current Practice), Apr 2012.

[54]

J. Wu, G. Ren, and X. Li. Source Address Validation: Architecture and Protocol Design. In IEEE ICNP, 2007.

[55]

G. Yao, J. Bi, and A. V. Vasilakos. Passive IP Traceback: Disclosing the Locations of IP Spoofers From Path Backscatter. Transactions on Information Forensics and Security, 10(3):471--484, March 2015.

[56]

G. Yao, J. Bi, and P. Xiao. Source address validation solution with OpenFlow/NOX architecture. In IEEE ICNP, 2011.

Digital Library

[57]

L. Zhu, Z. Hu, J. Heidemann, D. Wessels, A. Mankin, and N. Somaiya. Connection-Oriented DNS to Improve Privacy and Security. In IEEE SP, 2015.

Digital Library

Cited By

Korczyński MNosyk Y(2025)Source Address ValidationEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_1626(2472-2475)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_1626
Mirsadeghi SLuo BLiao XXu JKirda ELie D(2024)Poster: In-switch Defense against DNS Amplification DDoS AttacksProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3691404(4964-4966)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3691404
Gigis PHandley MVissicchio SSekar VYu MSeneviratne AVeitch D(2024)Bad Packets Come Back, Worse Ones Don'tProceedings of the ACM SIGCOMM 2024 Conference10.1145/3651890.3672259(311-326)Online publication date: 4-Aug-2024
https://dl.acm.org/doi/10.1145/3651890.3672259
Show More Cited By

Index Terms

Detection, classification, and analysis of inter-domain traffic with spoofed source IP addresses
1. Networks
  1. Network performance evaluation
    1. Network measurement
  2. Network properties
    1. Network security

Recommendations

Challenges in inferring spoofed traffic at IXPs
CoNEXT '19: Proceedings of the 15th International Conference on Emerging Networking Experiments And Technologies

Ascertaining that a network will forward spoofed traffic usually requires an active probing vantage point in that network, effectively preventing a comprehensive view of this global Internet vulnerability. Recently, researchers have proposed using ...
Defense against spoofed IP traffic using hop-count filtering

IP spoofing has often been exploited by Distributed Denial of Service (DDoS) attacks to: 1) conceal flooding sources and dilute localities in flooding traffic, and 2) coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding ...
Throttling spoofed SYN flooding traffic at the source

TCP-based flooding attacks are a common form of Distributed Denial-of-Service (DDoS) attacks which abuse network resources and can bring about serious threats to the Internet. Incorporating IP spoofing makes it even more difficult to defend against such ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '17: Proceedings of the 2017 Internet Measurement Conference

November 2017

509 pages

ISBN:9781450351188

DOI:10.1145/3131365

General Chairs:
Steve Uhlig
Queen Mary University of London
,
Olaf Maennel
Tallinn University of Technology

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

In-Cooperation

USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 November 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

DFG/German Research Foundation

Conference

IMC '17

Sponsor:

IMC '17: Internet Measurement Conference

November 1 - 3, 2017

London, United Kingdom

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

30
Total Citations
View Citations
558
Total Downloads

Downloads (Last 12 months)68
Downloads (Last 6 weeks)5

Reflects downloads up to 26 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Korczyński MNosyk Y(2025)Source Address ValidationEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_1626(2472-2475)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_1626
Mirsadeghi SLuo BLiao XXu JKirda ELie D(2024)Poster: In-switch Defense against DNS Amplification DDoS AttacksProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3691404(4964-4966)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3691404
Gigis PHandley MVissicchio SSekar VYu MSeneviratne AVeitch D(2024)Bad Packets Come Back, Worse Ones Don'tProceedings of the ACM SIGCOMM 2024 Conference10.1145/3651890.3672259(311-326)Online publication date: 4-Aug-2024
https://dl.acm.org/doi/10.1145/3651890.3672259
Durumeric ZAdrian DStephens PWustrow EHalderman JVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Ten Years of ZMapProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689012(139-148)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689012
Steurer FWagner DLachos DFeldmann AFiebig TVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)The Roots Go Deep: Measuring '.' Under ChangeProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689008(441-453)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689008
Liu XHe JSong HCheng XHu LXu X(2024)Anomaly detection and traceback scheme for cloud-edge networks2024 27th International Conference on Computer Supported Cooperative Work in Design (CSCWD)10.1109/CSCWD61410.2024.10580481(2028-2033)Online publication date: 8-May-2024
https://doi.org/10.1109/CSCWD61410.2024.10580481
Wagner DRanadive SGriffioen HKallitsis MDainotti ASmaragdakis GFeldmann AMontpetit MLeivadeas AUhlig SJaved M(2023)How to Operate a Meta-Telescope in your Spare TimeProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624831(328-343)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624831
Nosyk YKorczyński MLone QSkwarek MJonglez BDuda A(2023)The Closed Resolver Project: Measuring the Deployment of Inbound Source Address ValidationIEEE/ACM Transactions on Networking10.1109/TNET.2023.325741331:6(2589-2603)Online publication date: Dec-2023
https://doi.org/10.1109/TNET.2023.3257413
Gui XCao YYou IJi LLuo YLuo Z(2022)A Survey of techniques for fine-grained web traffic identification and classificationMathematical Biosciences and Engineering10.3934/mbe.202213819:3(2996-3021)Online publication date: 2022
https://doi.org/10.3934/mbe.2022138
Xu ZRamanathan SRush AMirkovic JYu MBianchi GMei A(2022)XatuProceedings of the 18th International Conference on emerging Networking EXperiments and Technologies10.1145/3555050.3569121(1-17)Online publication date: 30-Nov-2022
https://dl.acm.org/doi/10.1145/3555050.3569121
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten