Insights into SAV Implementations in the Internet

Abstract

Source Address Validation (SAV) is designed to block packets with spoofed IP addresses. Obtaining insights into the deployment and implementation of SAV is essential for understanding the potential impact of attacks that exploit spoofed IP addresses and also poses an interesting research question.

No current approaches for identifying networks that enforce SAV can infer information on the specific SAV techniques employed by the network operators. To address this gap, we present the first study of the SAV implementation techniques: Access Control Lists (ACLs) and unicast Reverse Path Forwarding (uRPF). While uRPF is more effective than ACLs, our large-scale Internet measurement reveals that network operators underutilize uRPF. Our study highlights the need for increased efforts to incentivize uRPF adoption and achieve broader network security benefits.

Appendices

A  SVM-Based IPID Classifier

The initial step of SAVscan is to identify global counters from target networks. To achieve this, SAVscan first incorporates an IPID classifier, which is an improvement upon the decision tree (DT) based classifier proposed by Salutari et al. [31]. The latter classifier relies on six features, including the entropy, expectation, and standard deviation of IPID sequences, to distinguish between five categories of IPID implementations. We implement an improved classifier with Support Vector Machine (SVM) model using nine additional features extracted from the time and frequency domains of an IPID time series.

Based on the various IPID assignments in [31], four primary types of IPID time series are outlined: global IPID time series from global counters, per-destination/per-host IPID time series from per-destination counters, random IPID time series from random number generators, constant IPID time series from unchanged IPID allocations. Figures 4 and 5 display four types of IPID time series in the time and frequency domains, respectively, demonstrating noticeable differences between them.

Fig. 4.

IPID values of four categories changing over 100 s.

Fig. 5.

DFT power spectra over a half frequency period (0, 0.5) Hz.

1.1 A.1  Features

We send N requests to a given IP server at a constant rate of one packet per second (1 pps or 1 Hz), alternately using two unique IP addresses (which can distinguish between global and per-destination counters), and extract IPID values \(x_{n}\) from responses, resulting in an IPID time series, denoted as \((x_{n}, t_{n}), n \in [0, N-1]\).

Let s be the N-length IPID time series, with a and b being the two subsequences collected by two unique addresses. We first extract six features Nwrap(a), \(\varDelta _{max}(s)\), \(\varDelta _{max}(a)\), \(\varDelta _{max}(b)\), \(\overline{\varDelta }(s)\), Autocorr(s) from the time domain, introduced below in detail:

\(Nwrap(\cdot )\): This operator measures the frequency of IPID wraparound (which occurs when the IPID value wraps to zero after reaching \(2^{16}-1\)) in a sequence. For global IPIDs, the feature value depends on the rate of counter increase and approaches zero in a stable network with little or no wraparound during the measurement period. In contrast, for random IPIDs, the feature value approximates 50%, with the extreme case being wraparounds occurring every two seconds.

\(\varDelta _{max}(\cdot )\) and \(\overline{\varDelta }(\cdot )\): We define \(\varDelta x_{n}\) as the difference between two consecutive IPID values to remove the potential periodicity (i.e., the IPID value periodically changes from zero to \(2^{16}-1\)) in IPID samples:

$$\varDelta x_{n} = (x_{n+1} - x_{n} + 2^{16}) \bmod 2^{16}, \qquad n \in [0, N-2]$$

\(\varDelta _{max}(\cdot )\) refers to the maximum difference in a given sequence, while \(\overline{\varDelta }(\cdot )\) means the average difference in an N-length time series:

$$\overline{\varDelta } = \frac{1}{N-1}\sum \nolimits _{n=0}^{N-2}\varDelta x_{n}$$

\(\varDelta _{max}(s)\) or \(\overline{\varDelta }(s)\) will be extremely large for per-destination or random IPIDs because the sequence contains many negative increments between two consecutive IPID values.

\(Autocorr(\cdot )\): This operator measures the linear relationship between a given time series and itself using Pearson’s correlation [25] at lag = 1. Global IPID sequences exhibit a strong positive relationship (Autocorr(s) = +1), whereas per-destination sequences show a negative relationship. We assign a zero value to this feature of constant IPIDs since no correlation is defined for this class. This has no impact on IPID identification, as all other features of this class are also zeros.

Next, we transform the N-sample IPID sequence into frequency components using Discrete Fourier Transform (DFT):

$$X_{k} = \sum \nolimits _{n=0}^{N-1}x_{n}e^{-\frac{i2\pi }{N}kn}, \qquad f_{k} = k\frac{f_{s}}{N}, k \in [0, N-1]$$

where \(X_{k}\) is the \(k_{th}\) element of the DFT and \(f_{k}\) represents its corresponding frequency. We subtract the mean of IPID values in the time domain to eliminate the DC (zero frequency) component in the frequency domain to avoid the effect on the analysis of other frequencies. Three features are selected from the frequency domain:

\(f_{d}\): it refers to the corresponding frequency at the peak of the power spectrum [32]. For per-destination IPIDs, we expect a peak at the frequency of 0.5 Hz (e.g., at a sampling rate of 1 Hz, the per-destination IPID has a period of 2 s).

B: it means the width of the frequency band in which 95% of the total power is located [3]. Ideally, random IPIDs have a broadband spectrum characteristic, while global IPIDs have a narrowband as they only contain low frequencies.

\(f_{rolloff}\): it represents the frequency, under which 85% of the total power lies [3]. The \(f_{rolloff}\) value of global IPIDs is relatively small due to their low frequency properties.

B  Algorithm for IPID Prediction

We display the pseudo-code of our IPID prediction approach in Algorithm 1.

Algorithm 1:

Pseudo-code of IPID prediction

C  Spoofed Packet Number

We then estimate how many packets need to be sent for the perturbation of the counter to work. Aforementioned, there will be \(\varPhi (\frac{e_{N}-\mu }{\sigma }) \le \alpha \) in the case of successful IPID perturbation. Then we deduce the value of \(n_{s}\) as follows:

$$\frac{e_{N}-\mu }{\sigma } \le \varPhi ^{-1}(\alpha )$$

$$\tilde{e}_{N}-n_{s} \le \varPhi ^{-1}(\alpha )*\sigma + \mu $$

$$n_{s} \ge -\varPhi ^{-1}(\alpha )*\sigma - \mu + \tilde{e}_{N}$$

We use \(e_{max}\), the maximum prediction error in E, as the estimated value of \(\tilde{e}_{N}\) (which equals \(\hat{x}_{N}-x_{N}\), with an ideal value of 0 when MAE is 0) to yield a relatively large \(n_{s}\) value, ensuring the triggering of the anomaly detection. We also ensure that we send at least one spoofed packet. Then, we define \(n_{s} = 1 + \left[ -\varPhi ^{-1}(\alpha )*\sigma - \mu + e_{max}\right] \). To mitigate potential harm to the tested network, we limit the number of spoofed packets sent to 10 during measurement.