On 2017-03-01 23:49, Jeroen Massar wrote:
> On 2017-03-01 17:02, Franziska Lichtblau wrote:


Related paper:


Using Loops Observed in Traceroute to Infer the Ability to Spoof

Despite source IP address spoofing being a known vulnerability for at
least 25 years, and despite many efforts to shed light on the problem,
spoofing remains a popular attack method for redirection, amplification,
and anonymity. To defeat these attacks requires operators to ensure
their networks filter packets with spoofed source IP addresses, known as
source address validation (SAV), best deployed at the edge of the
network where traffic originates. In this paper, we present a new method
using routing loops appearing in traceroute data to infer inadequate SAV
at the transit provider edge, where a provider does not filter traffic
that should not have come from the customer. Our method does not require
a vantage point within the customer network. We present and validate an
algorithm that identifies at Internet scale which loops imply a lack of
ingress filtering by providers. We found 703 provider ASes that do not
implement ingress filtering on at least one of their links for 1,780
customer ASes. Most of these observations are unique compared to the
existing methods of the Spoofer and Open Resolver projects. By
increasing the visibility of the networks that allow spoofing, we aim to
strengthen the incentives for the adoption of SAV.


swinog mailing list

Antwort per Email an