Skip to main content
Disciplines
Automotive Business IT + Informatics Construction + Real Estate Electrical Engineering + Electronics Energy + Sustainability Insurance + Risk Finance + Banking Management + Leadership Marketing + Sales Mechanical Engineering + Materials
Events
DE
EN
Books
Journals
Topic Page
Marketing
Start single access now
Access for companies
EXTENDED SEARCH
Log in
Top
Published in:
Discovering the IPv6 Network Periphery Read chapter Read first chapter

2020 | OriginalPaper | Chapter

Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

Authors : Maciej Korczyński, Yevheniya Nosyk, Qasim Lone, Marcin Skwarek, Baptiste Jonglez, Andrzej Duda

Published in: Passive and Active Measurement

Publisher: Springer International Publishing

Log in

Activate our intelligent search to find suitable subject content or patents.

search-config
loading …

Abstract

This paper concerns the problem of the absence of ingress filtering at the network edge, one of the main causes of important network security issues. Numerous network operators do not deploy the best current practice—Source Address Validation (SAV) that aims at mitigating these issues. We perform the first Internet-wide active measurement study to enumerate networks not filtering incoming packets by their source address. The measurement method consists of identifying closed and open DNS resolvers handling requests coming from the outside of the network with the source address from the range assigned inside the network under the test. The proposed method provides the most complete picture of the inbound SAV deployment state at network providers. We reveal that 32 673 Autonomous Systems (ASes) and 197 641 Border Gateway Protocol (BGP) prefixes are vulnerable to spoofing of inbound traffic. Finally, using the data from the Spoofer project and performing an open resolver scan, we compare the filtering policies in both directions.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

inform now
previous chapter A First Look at the Misuse and Abuse of the IPv4 Transfer Market
next chapter MUST, SHOULD, DON’T CARE: TCP Conformance in the Wild
Appendix
Available only for authorised users
Footnotes
2
After our initial scan, we learned that one of the three upstream providers deploys SAV, so we temporarily disabled it to perform our measurements.
 
Literature
1.
2.
Beverly, R., Berger, A., Hyun, Y., Claffy, K.: Understanding the efficacy of deployed Internet source address validation filtering. In: Internet Measurement Conference. ACM (2009)
3.
Beverly, R., Bauer, S.: The Spoofer project: inferring the extent of source address filtering on the Internet. In: USENIX Steps to Reducing Unwanted Traffic on the Internet (SRUTI) Workshop, July 2005
4.
5.
6.
7.
Dimitropoulos, X., Krioukov, D., Fomenkov, M., Huffaker, B., Hyun, Y., Riley, G., et al.: AS relationships: inference and validation. ACM SIGCOMM Comput. Commun. Rev. 37(1), 29–40 (2007)CrossRef
8.
Dittrich, D., Kenneally, E.: The Menlo report: ethical principles guiding information and communication technology research. Technical report, U.S. Department of Homeland Security, August 2012
9.
Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast Internet-wide scanning and its security applications. In: USENIX Security Symposium (2013)
10.
11.
Korczyński, M., Król, M., van Eeten, M.: Zone poisoning: the how and where of non-secure DNS dynamic updates. In: Internet Measurement Conference. ACM (2016)
12.
13.
Krenc, T., Feldmann, A.: BGP prefix delegations: a deep dive. In: Internet Measurement Conference, pp. 469–475. ACM (2016)
14.
Kührer, M., Hupperich, T., Bushart, J., Rossow, C., Holz, T.: Going wild: large-scale classification of open DNS resolvers. In: Internet Measurement Conference. ACM (2015)
15.
Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? Reducing the impact of amplification DDoS attacks. In: USENIX Conference on Security Symposium (2014)
16.
Lichtblau, F., Streibelt, F., Krüger, T., Richter, P., Feldmann, A.: Detection, classification, and analysis of inter-domain traffic with spoofed source IP addresses. In: Internet Measurement Conference. ACM (2017)
17.
Lone, Q., Luckie, M., Korczyński, M., Asghari, H., Javed, M., van Eeten, M.: Using crowdsourcing marketplaces for network measurements: the case of Spoofer. In: Traffic Monitoring and Analysis Conference (2018)
18.
19.
Luckie, M., Beverly, R., Koga, R., Keys, K., Kroll, J., Claffy, K.: Network hygiene, incentives, and regulation: deployment of source address validation in the Internet. In: Computer and Communications Security Conference (CCS). ACM (2019)
20.
21.
Müller, L.F., Luckie, M.J., Huffaker, B., Claffy, K., Barcellos, M.P.: Challenges in inferring spoofed traffic at IXPs. In: Conference on Emerging Networking Experiments And Technologies (CoNEXT), pp. 96–109. ACM (2019)
22.
Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: Network and Distributed System Security Symposium (NDSS) (2014)
23.
24.
25.
26.
Shue, C., Kalafut, A.: Resolvers revealed: characterizing DNS resolvers and their clients. ACM Trans. Internet Technol. 12, 1–17 (2013)CrossRef
27.
Vixie, P., Thomson, S., Rekhter, Y., Bound, J.: Dynamic updates in the domain name system (DNS UPDATE). Internet RFC 2136, April 1997
Metadata
Title
Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic
Authors
Maciej Korczyński
Yevheniya Nosyk
Qasim Lone
Marcin Skwarek
Baptiste Jonglez
Andrzej Duda
Copyright Year
2020
Book
Passive and Active Measurement

Print ISBN: 978-3-030-44080-0

Electronic ISBN: 978-3-030-44081-7

Copyright Year: 2020

DOI
https://doi.org/10.1007/978-3-030-44081-7_7

Premium Partner

    Image Credits