Skip to main content
Springer Nature Link
Log in

Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2020)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 12048))

Included in the following conference series:

Abstract

This paper concerns the problem of the absence of ingress filtering at the network edge, one of the main causes of important network security issues. Numerous network operators do not deploy the best current practice—Source Address Validation (SAV) that aims at mitigating these issues. We perform the first Internet-wide active measurement study to enumerate networks not filtering incoming packets by their source address. The measurement method consists of identifying closed and open DNS resolvers handling requests coming from the outside of the network with the source address from the range assigned inside the network under the test. The proposed method provides the most complete picture of the inbound SAV deployment state at network providers. We reveal that 32 673 Autonomous Systems (ASes) and 197 641 Border Gateway Protocol (BGP) prefixes are vulnerable to spoofing of inbound traffic. Finally, using the data from the Spoofer project and performing an open resolver scan, we compare the filtering policies in both directions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://spoofer.caida.org/summary.php.

  2. 2.

    After our initial scan, we learned that one of the three upstream providers deploys SAV, so we temporarily disabled it to perform our measurements.

  3. 3.

    https://dev.maxmind.com/geoip/geoip2/geolite2/.

References

  1. Baker, F., Savola, P.: Ingress Filtering for Multihomed Networks. RFC 3704, March 2004. https://rfc-editor.org/rfc/rfc3704.txt

  2. Beverly, R., Berger, A., Hyun, Y., Claffy, K.: Understanding the efficacy of deployed Internet source address validation filtering. In: Internet Measurement Conference. ACM (2009)

    Google Scholar 

  3. Beverly, R., Bauer, S.: The Spoofer project: inferring the extent of source address filtering on the Internet. In: USENIX Steps to Reducing Unwanted Traffic on the Internet (SRUTI) Workshop, July 2005

    Google Scholar 

  4. CAIDA: The Spoofer Project. https://www.caida.org/projects/spoofer/

  5. The Closed Resolver Project. https://closedresolver.com

  6. Deccio, C.: Private Communication

    Google Scholar 

  7. Dimitropoulos, X., Krioukov, D., Fomenkov, M., Huffaker, B., Hyun, Y., Riley, G., et al.: AS relationships: inference and validation. ACM SIGCOMM Comput. Commun. Rev. 37(1), 29–40 (2007)

    Article  Google Scholar 

  8. Dittrich, D., Kenneally, E.: The Menlo report: ethical principles guiding information and communication technology research. Technical report, U.S. Department of Homeland Security, August 2012

    Google Scholar 

  9. Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast Internet-wide scanning and its security applications. In: USENIX Security Symposium (2013)

    Google Scholar 

  10. Kaminsky, D.: It’s the end of the cache as we know it. https://www.slideshare.net/dakami/dmk-bo2-k8

  11. Korczyński, M., Król, M., van Eeten, M.: Zone poisoning: the how and where of non-secure DNS dynamic updates. In: Internet Measurement Conference. ACM (2016)

    Google Scholar 

  12. Kottler, S.: February 28th DDoS Incident Report. https://github.blog/2018-03-01-ddos-incident-report/

  13. Krenc, T., Feldmann, A.: BGP prefix delegations: a deep dive. In: Internet Measurement Conference, pp. 469–475. ACM (2016)

    Google Scholar 

  14. Kührer, M., Hupperich, T., Bushart, J., Rossow, C., Holz, T.: Going wild: large-scale classification of open DNS resolvers. In: Internet Measurement Conference. ACM (2015)

    Google Scholar 

  15. Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? Reducing the impact of amplification DDoS attacks. In: USENIX Conference on Security Symposium (2014)

    Google Scholar 

  16. Lichtblau, F., Streibelt, F., Krüger, T., Richter, P., Feldmann, A.: Detection, classification, and analysis of inter-domain traffic with spoofed source IP addresses. In: Internet Measurement Conference. ACM (2017)

    Google Scholar 

  17. Lone, Q., Luckie, M., Korczyński, M., Asghari, H., Javed, M., van Eeten, M.: Using crowdsourcing marketplaces for network measurements: the case of Spoofer. In: Traffic Monitoring and Analysis Conference (2018)

    Google Scholar 

  18. Lone, Q., Luckie, M., Korczyński, M., van Eeten, M.: Using loops observed in traceroute to infer the ability to spoof. In: Kaafar, M.A., Uhlig, S., Amann, J. (eds.) PAM 2017. LNCS, vol. 10176, pp. 229–241. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54328-4_17

    Chapter  Google Scholar 

  19. Luckie, M., Beverly, R., Koga, R., Keys, K., Kroll, J., Claffy, K.: Network hygiene, incentives, and regulation: deployment of source address validation in the Internet. In: Computer and Communications Security Conference (CCS). ACM (2019)

    Google Scholar 

  20. Mauch, J.: Spoofing ASNs. http://seclists.org/nanog/2013/Aug/132

  21. Müller, L.F., Luckie, M.J., Huffaker, B., Claffy, K., Barcellos, M.P.: Challenges in inferring spoofed traffic at IXPs. In: Conference on Emerging Networking Experiments And Technologies (CoNEXT), pp. 96–109. ACM (2019)

    Google Scholar 

  22. Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: Network and Distributed System Security Symposium (NDSS) (2014)

    Google Scholar 

  23. University of Oregon Route Views Project. http://www.routeviews.org/routeviews/

  24. Scheffler, S., Smith, S., Gilad, Y., Goldberg, S.: The unintended consequences of email spam prevention. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 158–169. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76481-8_12

    Chapter  Google Scholar 

  25. Senie, D., Ferguson, P.: Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing. RFC 2827, May 2000. https://rfc-editor.org/rfc/rfc2827.txt

  26. Shue, C., Kalafut, A.: Resolvers revealed: characterizing DNS resolvers and their clients. ACM Trans. Internet Technol. 12, 1–17 (2013)

    Article  Google Scholar 

  27. Vixie, P., Thomson, S., Rekhter, Y., Bound, J.: Dynamic updates in the domain name system (DNS UPDATE). Internet RFC 2136, April 1997

    Google Scholar 

Download references

Acknowledgments

The authors would like to thank the anonymous reviewers and our shepherd Ramakrishna Padmanabhan for their valuable feedback. This work has been carried out in the framework of the PrevDDoS project funded by the IDEX Université Grenoble Alpes “Initiative de Recherche Scientifique (IRS)”.

Author information

Authors and Affiliations

  1. Univ. Grenoble Alpes, CNRS, Grenoble INP, LIG, 38000, Grenoble, France

    Maciej Korczyński, Yevheniya Nosyk, Marcin Skwarek, Baptiste Jonglez & Andrzej Duda

  2. Delft University of Technology, Delft, The Netherlands

    Qasim Lone

Authors
  1. Maciej Korczyński
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yevheniya Nosyk
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Qasim Lone
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Marcin Skwarek
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Baptiste Jonglez
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Andrzej Duda
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Maciej Korczyński .

Editor information

Editors and Affiliations

  1. University of Twente, Enschede, The Netherlands

    Anna Sperotto

  2. University of California, San Diego, CA, USA

    Alberto Dainotti

  3. University of Zürich, Zürich, Switzerland

    Burkhard Stiller

Appendix

Appendix

Fig. 5.
figure 5

Fraction of vulnerable to spoofing (inbound traffic) vs. all/24 networks per country

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Korczyński, M., Nosyk, Y., Lone, Q., Skwarek, M., Jonglez, B., Duda, A. (2020). Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic. In: Sperotto, A., Dainotti, A., Stiller, B. (eds) Passive and Active Measurement. PAM 2020. Lecture Notes in Computer Science(), vol 12048. Springer, Cham. https://doi.org/10.1007/978-3-030-44081-7_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-44081-7_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-44080-0

  • Online ISBN: 978-3-030-44081-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics