Detection, classification, and analysis of inter-domain traffic with spoofed source IP addresses
Autor: | Thorben Krüger, Florian Streibelt, Franziska Lichtblau, Philipp M. Richter, Anja Feldmann |
---|---|
Rok vydání: | 2017 |
Předmět: |
021110 strategic
defence & security studies Spoofing attack Computer science Inter-domain Network packet business.industry ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS 0211 other engineering and technologies 020206 networking & telecommunications Denial-of-service attack 02 engineering and technology Internet traffic IP address spoofing ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS Border Gateway Protocol 0202 electrical engineering electronic engineering information engineering The Internet business Computer network |
Zdroj: | Internet Measurement Conference |
DOI: | 10.1145/3131365.3131367 |
Popis: | IP traffic with forged source addresses (i.e., spoofed traffic) enables a series of threats ranging from the impersonation of remote hosts to massive denial-of-service attacks. Consequently, IP address spoofing received considerable attention with efforts to either suppress spoofing, to mitigate its consequences, or to actively measure the ability to spoof in individual networks. However, as of today, we still lack a comprehensive understanding both of the prevalence and the characteristics of spoofed traffic "in the wild" as well as of the networks that inject spoofed traffic into the Internet. In this paper, we propose and evaluate a method to passively detect spoofed packets in traffic exchanged between networks in the inter-domain Internet. Our detection mechanism identifies both source IP addresses that should never be visible in the inter-domain Internet (i.e., unrouted and bogon sources) as well as source addresses that should not be sourced by individual networks, as inferred from BGP routing information. We apply our method to classify the traffic exchanged between more than 700 networks at a large European IXP. We find that the majority of connected networks do not, or not consistently, filter their outgoing traffic. Filtering strategies and contributions of spoofed traffic vary heavily across networks of different types and sizes. Finally, we study qualitative characteristics of spoofed traffic, regarding both application popularity as well as structural properties of addresses. Combining our observations, we identify and study dominant attack patterns. |
Databáze: | OpenAIRE |
Externí odkaz: |