The spoofer project: inferring the extent of source address filtering on the internet
作者: Steven Bauer , Robert Beverly
DOI:
关键词: The Internet 、 Denial-of-service attack 、 Protocol spoofing 、 Ingress filtering 、 IP address spoofing 、 Email spoofing 、 Network packet 、 Computer security 、 Computer science 、 Spoofing attack
摘要: Forging, or "spoofing," the source addresses of IP packets provides malicious parties with anonymity and novel attack vectors. Spoofing-based attacks complicate network operator's defense techniques; tracing spoofing remains a difficult largely manual process. More sophisticated next generation distributed denial service (DDoS) may test filtering policies adaptively attempt to forge addresses. To understand current state filtering, this paper presents an Internet-wide active measurement project. Clients in our study send carefully crafted UDP designed infer policies. When valid is place we determine granularity by performing adjacent netblock scanning. Our results are first quantify extent nature ability spoof on Internet. We find that approximately one-quarter observed addresses, netblocks autonomous systems (AS) permit full partial spoofing. Projecting number entire Internet, approximation show reasonable, yields over 360 million 4,600 ASes from which possible. findings suggest large portion Internet vulnerable concerted employing remain serious concern.
参考文章(12)
Evi Nemeth, kc claffy, Bradley Huffaker, Otter: A general-purpose network visualization tool International Networking Conference (INET). ,(1999)
Geoffrey M. Voelker, Stefan Savage, David Moore, Inferring internet denial-of-service activity usenix security symposium. pp. 2- 2 ,(2001)
Steven Bellovin, Marcus Leech, Tom Taylor, ICMP Traceback Messages Internet Draft: draft-bellovin-itrace-00. txt. ,(2003) , 10.7916/D8FF406R
Robert Beverly, A Robust Classifier for Passive TCP/IP Fingerprinting passive and active network measurement. pp. 158- 167 ,(2004) , 10.1007/978-3-540-24668-8_16
Y. Rekhter, Address Allocation for Private Internets RFC. ,vol. 1597, pp. 1- 8 ,(1994)
D. Conrad, K. Hubbard, J. Postel, M. Kosters, D. Karrenberg, Internet Registry IP Allocation Guidelines RFC. ,vol. 2050, pp. 1- 13 ,(1996)
D. Senie, P. Ferguson, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing RFC 2827-BCP 38. ,vol. 2267, pp. 1- 10 ,(1998)
Cheng Jin, Haining Wang, Kang G. Shin, Hop-count filtering: an effective defense against spoofed DDoS traffic computer and communications security. pp. 30- 41 ,(2003) , 10.1145/948109.948116
F. Baker, P. Savola, Ingress Filtering for Multihomed Networks RFC. ,vol. 3704, pp. 1- 16 ,(2004)
Alex C. Snoeren, Hash-based IP traceback Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications - SIGCOMM '01. ,vol. 31, pp. 3- 14 ,(2001) , 10.1145/383059.383060