Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates

Zhenhai Duan, Xin Yuan Department of Computer Science Florida State University Jaideep Chandrashekar Department of Computer Science University of Minnesota

 IP spoofing:
B

X D

Forging the source address Used by many popular DDOS attacks Making it difficulty to defend again attacks.

 Route based packet filtering

B

X D

One can fake the identity, but not the route. A router can decide whether it is in the path from the source to the destination and drop packets that are not supposed to be there. Route based packet filter cannot completely eliminate IP spoofing, however, it can significantly reduce it.

 Route based packet filtering requirement:

The router must know the route between any pair of source and destination addresses.
Global topology information Not available in BGP.

Is it possible to infer the feasible route information from BGP updates? If it is possible, what is the performance?

 BGP basic:
Autonomous Systems (AS) are the basic units
The network can be modeled as an AS graph Nodes are ASes and edges are BGP sessions Nodes own network prefixes and exchange BGP route updates to learn the reachability of prefixes Attributes associated with routes: AS path, prefix.

 BGP basic:
An incremental protocol: updates are generated only in response to network events. Policy based routing:
Import Route selection Export

 BGP basic:
AS relationships and routing policy:
Provider-customer Peer-peer Sibling-sibling

 BGP basic:
Property of BGP routes:
Uphill path: customer-provider edges or sibling-sibling edges Downhill path: provider-customer edges or sibling-sibling edge Theorem 1 (Gao [17]): If all Ases set their export policies according to r1-r4, BGP routes belong to one of the following:
An uphill path A downhill path An uphill path followed by a downhill path An uphill path followed by a peer-peer edge A peer-to-peer edge followed by a downhill path An uphill path followed by a peer-to-peer edge followed by a downhill path.

 Inter Domain Packet Filters (IDPF):

Deciding feasible routes under BGP Feasible routes in BGP are constrained by routing policies (AS relation)

 Inter Domain Packet Filters (IDPF):

Path constrained by the routing policies

 Assumptions in our scheme:

Export rules: MUST export

Import rules:

 Inferring the feasible paths:

If u is a feasible upstream neighbor of v for packet M(u, d), node u must have exported to v its best route to reach s.

 IDPFs:

 Routing policy complication:

Selective announcements:

R5: restricted conditional advertisement

 Performance:
IDPF finds a set of feasible paths instead of one best route, its performance will not be as good as the ideal route based filters [Park 2001] Important question: How many ASes must deploy IDPF to be effective? IDPF has two effects
Reducing the number of prefixes that can be spoofed Localizing the source of spoofed packets

 Performance metrics:

 Data Set:
4 AS graphs from the BGP data achieved by the Oregon Route Views Project.

 Experimental setting
Determine the feasible paths based on update logs. Use shortest path as the route (add if the shortest path is not a feasible path) Selecting nodes that deploy IDPF
Random (rnd30/rnd50) Vertex cover If not mentioned specifically, IDPF nodes also have network ingress filtering.

Chance for completely eliminate IP spoofing:

 Conclusion:
We proposed and studied IDPF IDPF can limit the spoofing capability of attackers even when partially deployed and improves the accuracy of IP traceback IDPF provides local incentives for deployment.