Spoofing Prevention Method - PowerPoint PPT Presentation

1 / 37
About This Presentation
Title:

Spoofing Prevention Method

Description:

Piggybacked on IP lookup process. Cost of tagging is minimal. Additional IP Lookup required, hence cost is high. Packets categorization ... – PowerPoint PPT presentation

Number of Views:491
Avg rating:3.0/5.0
Slides: 38
Provided by: Gues203
Category:

less

Transcript and Presenter's Notes

Title: Spoofing Prevention Method


1
Spoofing Prevention Method
  • Srikanth T.S.S.
  • Sri Lakshmi Ramya S

2
Spoofing
  • An attempt to gain access to a system by posing
    as an authorized user
  • Attacker forges the source IP of packets
    Spoofing the source IP
  • Spoofed IP is an arbitrary IP address selected
    randomly or intentionally
  • Major tool used by hackers to mount DoS attacks

3
Characteristics of spoofed attacks
  • Weakens the ability to mitigate an attack
  • Makes law enforcement harder

4
Existing mechanisms
  • Ingress / Egress Filtering
  • Trace Back
  • Attempts to mitigate the packet at the destination

5
Existing mechanisms -Ingress and Egress filtering
  • Ingress An ISP prohibits receiving from its
    stub connected networks packets whose source
    address does not belong to the corresponding stub
    network address space
  • Egress A router or a firewall which is the
    gateway of a stub network filters out any packet
    whose source address does not belong to the
    network address space

6
Existing mechanisms -Ingress and Egress filtering
(contd.)
  • Limitations
  • Allows Spoofing within a stub network
  • Not self defensive
  • Effective only when implemented by large number
    of networks
  • Deployment is costly
  • Incentive for an ISP is very low

7
Existing mechanisms Traceback
  • Determines path an attack flow traverses
  • Two methods of traceback
  • Stamping packets with router signature
  • Use of a special collector to analyze the path

8
Existing mechanisms TCP Intercept
  • Router checks the real host behind the source
    address by completing the 3-way handshake
  • If connection with client is established, then
    address considered not spoofed
  • Drawbacks
  • Applicable only to TCP. Cannot protect UDP
    traffic or any other connectionless traffic
  • Poses serious performance penalty

9
Spoofing Prevention Method (SPM)
  • Unique temporal key K(S,D) associated with each
    pair ordered air of source destination networks
    (ASs autonomous systems)
  • Router closer to the destination verify
    authenticity of the source address of the packet
  • Effective and provides incentive to ISPs
    implementing SPM

10
Working of SPM
  • Packet leaving a source network S tagged with Key
    K(S,D)
  • Destination network upon reception of packet
    verifies the packet using the key then removes
    the key
  • Keys are changed periodically

11
SPM Skeleton
  • Key Structure its placement
  • Key Distribution Protocol
  • Key Updates
  • SPM Routers

12
Key
  • 16/32 bit
  • Placed in the ID field in the IP header where the
    source address appear
  • Not efficient to place key in IP option field.
  • Simple Memory Lookups One look up per packet
  • No cryptographic functions involved

13
IP Header
14
Key Selection Methodology
  • Each Source address
  • Each Source-Destination address pair
  • Each Source Destination Network pair
  • Each Source Destination AS pair

15
AS Out Table AS In Table
  • AS Out Table
  • Present in the sending router
  • Maintains keys for marking flows
  • AS In Table
  • Present in the Destination router
  • Maintains keys for verification of flows

16
Key Distribution Methods
  • Passive Key Information Distribution
  • Avoids use of a dedicated Key distribution
    protocol
  • Keys in the AS-in Table are learned passively
    from the tagged keys that come from non spoofed
    addresses
  • Can identify a non spoofed traffic if it is TCP
    traffic

17
Key Distribution Methods
  • Active Distribution Protocol
  • Central server to manage key distribution and
    selection
  • AS server performs the following tasks
  • Choosing the keys for the AS-out table
  • Distributing the AS-out table to the routers
  • Announcing the keys from AS-out table to other AS
    servers
  • Building the AS-in table from other server
    announcements
  • Updating the As-in table in the routers in its AS

18
Changing keys periodically
  • periodical key updates to increase system
    security.
  • Method 1
  • Each AS server periodically selects a new set of
    random keys and distributes it to other AS
    servers
  • Keys changed in different ASes in different
    times
  • During replacement router holds 2 keys old
    new

19
Changing keys periodically
  • Method 2
  • Each AS server associated with a pseudo random
    number generator
  • AS tables filled at predefined times with random
    number

20
SPM Routers
  • Two tasks
  • Tagging outgoing packets with key
  • Packet Authentication

21
SPM Routers - Tagging
  • Tagging done at Edge Routers
  • Edge Routers - capable of distinguishing packets
    originated in its AS and packets outside AS
  • Requires look up on the destination address
  • Piggybacked on IP lookup process
  • Cost of tagging is minimal

22
SPM Routers Dynamic Authentication Process
  • Additional IP Lookup required, hence cost is high
  • Packets categorization
  • SPM Recognized Spoofed Traffic
  • SPM Certified Non Spoofed Traffic
  • All Other Traffic

23
SPM Routers Dynamic Authentication Process
(contd.)
  • Types of Verification Discard modes
  • Peace Time (Conservative)
  • Only packets of the first category is completely
    discarded
  • Packets of Category 1 discarded even if there is
    no attack.
  • Attack Time (Aggressive)
  • When DDoS attack is detected
  • Category 1 3 completely discarded
  • Gives greater incentive to SPM deployed traffic

24
Analysis of Benefits and Incentives of SPM
  • Evaluate amount of damage caused to domain i due
    to attacks.
  • Evaluation is conducted as follows
  • No defense approach
  • Ingress/Egress filtering approach
  • SPM approach

25
Analysis of Benefits and Incentives of SPM
(contd.)
  • Assume that the Internet consists of N domains,
    indexed 1,2,,N.
  • Let INT 1,2,,N denote this set.
  • Let be the rate of attacks performed from
    domain I to domain j where the address of I is
    spoofed to an address in domain k.
  • Total attack rate directed at domain i

26
Analysis of Benefits and Incentives of SPM
(contd.)
  • Amount of damage inflicted on servers placed in
    domain i is denoted by
  • Damage reduction is denoted by
  • Relative damage reduction is denoted by

27
Damage (attack rate) under No Defense
  • Total damage to domain I is given by the overall
    attack rate at the domain

28
Damage Reduction under Ingress/Egress Filtering
Defense
  • Assume a set of domains denoted IE 1,2,,N
    conducts ingress/egress filtering
  • Damage Reduction of domain i is given by

29
Damage Reduction Under Ingress/Egress Club Defense
  • Domains that implement ingress/egress filtering
    conduct it exclusively to traffic destined to
    domains in IE
  • Benefits members of IE when compared to non
    members
  • Damage reduction is given by

30
Damage Reduction under SPM Defense
  • Assume partners of SPM treat SPM produced and
    authenticated packets at higher priority
  • Damage reduction is expressed in two ways
  • SPM with ingress/egress filtering

31
Comparison to other Methods
  • Fully Symmetric System (identical domain sizes).
    Let
  • Assume size of each of the defense sets IE,
    IECLUB, SPM, SPMIE is given by K
  • Under no defense
  • Under ingress/egress filtering
  • Under SPM

32
Comparison of Methods - Results
Ingress/Egress Filtering
SMPIngress/Egress
33
Discussion on Results
  • Under ingress/egress filtering the relative
    benefit for a participant is identical to that of
    a non-participant
  • Under Ingress/Egress club, there is some relative
    benefit to its participants but if the club is
    small, there is little incentive
  • Under SPM, the benefits are always sufficiently
    larger

34
Asymmetric System
  • Domain sizes and traffic generated by them are
    not identical
  • Assume that the domain size is distributed in a
    Zipf like distribution
  • Under Zipf distribution, the size of domain i, i
    1,2,N is Xi X/i for some constant X

35
Benefits of SPM plus Ingress/Egress under
Asymmetric traffic
The benefit for participating domains grows very
rapidly with the SPM size. This is inferred by
the fact that large fractions of attacks are
directed to large domains
36
Client Traffic
  • When SPM contains many members and the defense
    used by the attacked server is conservative, SPM
    client derives little advantage
  • When SPM contains less members and aggressive
    type of defense is used, clients derive large
    advantage
  • Benefits to the domain clients complements the
    benefits to the domain servers ,hence greater
    incentive of joining SPM

37
Concluding Remarks
  • Ingress filtering economically ineffective poor
    incentive for any network
  • SPM most compatible to todays internet
  • SPM can be used by network routers to eliminate
    or reduce spoofing attacks.
  • Significantly greater incentive for a network
    deploying SPM
  • Effective even if deployed by fraction of
    networks.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Spoofing Prevention Method" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!