idpf_infocom06 by liaoxiuli

VIEWS: 8 PAGES: 25

									  Constructing Inter-Domain
  Packet Filters to Control IP
Spoofing Based on BGP Updates
          Zhenhai Duan, Xin Yuan
       Department of Computer Science
           Florida State University

           Jaideep Chandrashekar
       Department of Computer Science
          University of Minnesota
• Outline:
  – Background
     • IP spoofing
     • Route based packet filtering
  – Related BGP concepts
  – Inter-domain Packet Filters (IDPF)
     • General idea
     • Assumptions
     • Technique to compute the filters
  – Performance
  – Conclusion
• IP spoofing:
                          B


      A          X         Y         C


                 D

  – Forging the source address
  – Used by many popular DDOS attacks
  – Making it difficulty to defend again attacks.
• Route based packet filtering [K. Park, SIGCOMM 2001]
                               B


        A            X          Y          C


                     D


   – One can fake the identity, but not the route.
   – A router can decide whether it is in the path from the
     source to the destination and drop packets that are not
     supposed to be there.
• Route based packet filtering Requirement:
  – The router must know the route between any
    pair of source and destination addresses.
     • Global topology information
     • Not available in BGP.


• Is it possible to build route based packet
  filters from BGP updates?
• If it is possible, what is the performance?
• BGP:
  – Autonomous Systems (ASes) are the basic units
     • The network can be modeled as an AS graph
     • Nodes are ASes and edges are BGP sessions
     • Nodes own network prefixes and exchange BGP
       route updates to learn the reachability of prefixes
     • Attributes associated with routes: AS path, prefix.


  – Policy based routing:
     • Import
     • Route selection
     • Export
• BGP:
  – Routing policies are usually decided by the AS
    relation
     • Provider-customer
     • Peer-peer
     • Sibling-sibling
• Inter Domain Packet Filters (IDPF):
  – IDPF decides feasible routes under BGP
  – Feasible routes in BGP are constrained by
    routing policies (AS relation)
– Path constrained by the routing policies
• Assumptions in our scheme:
     • Export rules: MUST export




     • Import rules:
• Inferring the feasible paths:




  – If u is a feasible upstream neighbor of v for
    packet M(s, d), node u must have exported to v
    its best route to reach s.
• Building IDPF:
  – Node v accepts packet M(s, d) forwarded by
    node u if and only if




  – IDPFs allow traffic to go through any feasible
    route
     • May affect the performance
     • No problem in the path exploration phase.
• Routing policy complication:
   – Selective announcements:




   – r5: restricted conditional advertisement
• Performance:
  – IDPF has two effects
     • Reducing the number of prefixes that can be spoofed
     • Localizing the source of spoofed packets


  – IDPF finds a set of feasible paths instead of one
    best route, its performance will not be as good
    as the ideal route based packet filters [Park
    2001]
• Performance metrics [Park 2001]:
  – 1 ( ) : the proportion of ASes that if attacked
    by an attacker, the attacker can at most spoof 
    ASes.
  – 2 ( ) : the proportion of ASes from which an
    attacker can forge addresses of at most 
    ASes.
  –  1 ( ) : the proportion of ASes being attacked
    that can localize the true origin within 
    ASes.
• Data Set:
  – 4 AS graphs from the BGP data achieved by the
    Oregon Route Views Project.
• Experimental setting
  – Determine the feasible paths based on update
    logs.
  – Use shortest path as the route (add if the
    shortest path is not a feasible path)
  – Selecting nodes that deploy IDPF
     • Random (rnd30/rnd50)
     • Vertex cover
     • If not mentioned specifically, IDPF nodes also have
       network ingress filtering.
1 ( ) on G2004c
1 (1) on G2004c
2 ( ) on G2004c
 1 ( ) on G2004c
• Conclusion:
  – We proposed an Inter-domain Packet Filters
    architecture (IDPF) and studied it performance.
  – IDPF can limit the spoofing capability of
    attackers even when partially deployed and
    improves the accuracy of IP traceback.
  – IDPF provides local incentives for deployment.

								
To top