An incrementally deployable anti-spoofing mechanism for software-defined networks
Introduction
IP spoofing, i.e., forging a packet’s source IP address, remains an unsolved security problem in today’s Internet [1], [2], [3]. These forgeries assist attackers to enable anonymity, indirection, and amplification exploits [1], such as circumventing source-based filtering and mounting denial-of-service (DoS). Most notably, an attacker may employ IP spoofing to congest a server’s resources via a TCP SYN flood [4]. Backscatter traffic analysis infers that several hundred DDoS attacks employing spoofing occur daily [5]. On February 2014, a massive DDoS attack reached 400 gigabits per second in power hit EU and US-based servers, and the attack uses IP spoofing to leverage the exploits on the Network Time Protocol (NTP). The so-called NTP reflection attack shows that the IP spoofing is still a significant problem in todays Internet [6].
Contemporary attacks forgo IP spoofing and instead use enormous botnets to mask the perpetrator’s source address during a DDoS attack. In addition to the prevalence of non-spoofed DDoS attacks, broad deployment of ingress filtering, e.g., 80% of ASes participating in MIT Spoofer project are non-spoofable [7], induces the misconception that spoofing is not an open problem. However, 20% of networks suffice to generate spoofed traffic towards any target [3]. Consequently, ingress filtering is insufficient unless it is fully deployed [8] because it only filters outgoing packets so that it benefits to another side of network instead of the side that adopts ingress filtering. Furthermore, the diversity of new exploits give enough motivation to continue spoofing-based attacks [1], [9], which include DNS amplifier attacks, TCP reset attacks, spam filter circumvention, network scans, and DNS poisoning. Recently, Qian and Mao also found a new exploit using IP spoofing, which leverages the predictability of TCP sequence numbers on firewall middleboxes, enabling off-path TCP attacks [10]. For many years, several anti-spoofing solutions have been suggested but none achieves wide-spread deployment.
In “Crossing the Chasm”, Moore notes that customers for a technological innovation range from early adopters, to the early majority, to the late majority, and finally to laggards [11]. A central difference in the deployment of networking protocols is the availability of hardware and software that implements the protocols. Although the market for Internet technology differs from a mainstream product, we can still draw a partial analogy. We conjecture that the deployment of networking protocols follows a similar trend: early adopters with a critical need for some new technology start to use the technology to their network. As the larger network operators recognize the necessity of the technology and observe customer demand, they also implement the feature. This causes the early mainstream network operators to deploy it. Finally, some network operators may not update their network frequently and thus they require a longer time until they implement the functionality. In terms of incremental deployability, a viable protocol needs to have three properties: initial benefits for the early adopters, incremental benefits for the early majority, and effectiveness under partial deployment.
- •
Initial benefit: The protocol needs to provide initial benefits for early adopters. Ideally, the initial deployments already provide a benefit.
- •
Incremental benefit: The protocol needs to provide incremental benefits for the early majority. Such benefits should increase as deployment proceeds.
- •
Partial deployment: The protocol needs to provide properties such that a proportionally small deployment becomes sufficiently effective. Broad deployment requires a prolonged period; thus, a practical protocol approaches full strength when approximately 30–50% of routers deploy the mechanism. This requires about 10% of larger ASes.
An anti-spoofing protocol needs to be not only technically sound but also economically acceptable. Unfortunately, currently proposed IP spoofing prevention mechanisms are inadequate, especially in the dimension of providing incentives for deployers.
In order to satisfy above three properties for a viable protocol, we propose a new mechanism called “BGP-based Anti-Spoofing Extension” (BASE). BASE is designed with a consideration for implementation on software-defined networks (SDN). SDN provides a logically centralized and programable controller to manage the entire network by separating control plane and data plane. With the separation of the control plane and the data plane, the network control is moved to a logically centralized controller in the control plane, and network devices in the data plane become simple packet forwarding devices. SDN enables network operators to more flexibly program and control their networks, while the traditional network is rigid in terms of network dynamics. Driven by this, SDN emerged as an innovative network architecture, and it is becoming a reality on modern Internet. BASE can be easily adopted and deployed to the real network through the growth of SDN environments.
BASE consists of four phases: distribution of marking values, filter invocation, packet marking and filtering, and filter revocation. Valid marking values are distributed among BASE routers1 using BGP update messages. The marking values for each BASE router computed by SDN controllers with cryptographic hash chains. Under the occurrence of a spoofing attack, a controller in a victim network sends invocation messages to SDN controllers in other SDN ASes, and the controllers which receive the invocation messages initiate packet marking and filtering for each BASE router under control. Communication among BASE entities can be performed using optional transitive attributes in BGP [12], which enables to deliver messages under partial deployment. Then, only legitimate traffic traveling a valid path can have a correct mark but spoofed packets have incorrect marking values so that they are dropped by an intermediate BASE router. Furthermore, the capability of invoking the filtering network of BASE routers can be given to the BASE deployers, which becomes the direct benefit when adopting BASE in their network.
One filtering scheme that shows incremental deployability is route-based distributed packet filtering (DPF) [8]. DPF can drop spoofed packets traveling unexpected routes from specified source addresses. Filtering quality increases according to the degree of deployment. However, it does not give direct benefit to the adopters but everyone shares the benefit of filtering spoofed packets, which discourages deployment of DPF.
In experiments, BASE was implemented on virtual OpenFlow networks using Mininet [13], OpenvSwitch [14] and POX [15], in order to verify the correct operations of BASE. The power for filtering spoofed packets rises substantially as the number of deploying entities increases. With only about 30% of ASes deploying the mechanism, we can filter about 97% of attack packets. We show that BASE outperforms previously proposed schemes in terms of filtering spoofed packets while satisfying the incrementally deployable properties.
The contributions of this work can be summarized as follows:
- •
BASE is the first work considering the incrementally deployable properties by giving a visible benefit to early adopters.
- •
BASE provides on-demand filtering, thus it reduces unnecessary overhead while keeping enough security.
- •
BASE is implemented on a popular SDN open-source project with only using standard OpenFlow APIs.
- •
BASE shows that IP spoofing attacks can be effectively filtered with limited deployment.
The rest of this paper is organized as follows. Section 2 describes the background of SDN and the fundamental techniques of our work. Then, we give a detailed description of BASE in Section 3 and security analysis in Section 4. Section 5 outlines the experimental settings and results. In Section 6, we discuss several issues which arise when BASE is performed in a real network. Section 7 describes related work, and finally we conclude this paper with remained challenges in Section 8.
Section snippets
Background
To better understand the BASE mechanism, we introduce the historical background, basic architecture, and application fields of SDN. Moreover, the fundamental techniques we applied to the BASE mechanism will be described in detail.
The BASE mechanism
This section proposes a new mechanism called “BGP-based Anti-Spoofing Extension” (BASE), which combines the features of Pi [48] and DPF [8]. BASE functions as an anti-spoofing solution by performing per-packet deterministic packet marking (Pi feature) with overloading a routing protocol BGP (DPF feature) to propagate marking information. In addition to using the features of Pi and DPF, BASE further enables the three deployment properties. In BASE, path-based marking enables in-network filtering
Circumventing BASE routers
The first measure of the effectiveness of an anti-spoofing mechanism is the proportion of spoofed packets that are dropped prior to arriving at a victim’s location. We consider a network with partial deployment as shown in Fig. 15.
In the case of ingress filtering [60], an attacker can mount an attack with spoofed packet at 5 locations . In the case of DPF [41], only 3 locations are available to an attacker for mounting a spoofing attack. The attacker at the locations
Evaluation
To evaluate the performance of BASE, two level experiments were performed: high level simulation on an Internet-scale topology for filtering performance estimation and low level simulation on SDN for BASE function estimation.
In the first experiment, an Internet-scale simulation was conducted for a performance estimation with different anti-spoofing mechanisms. We compared filtering performance of BASE with three different well-known filtering schemes according to filter placement strategy and
Adopter’s benefit
Ingress filtering and DPF are more powerful when deployed near the attacking location, but less effective near the victim. Therefore, ISPs who can become potential victims do not feel motivated for adopting ingress filtering and DPF. Only Pi gives an obvious benefit to a victim for defending against spoofing attacks. Nevertheless, Pi still has significant weaknesses—the full benefit of Pi occurs only after large-scale deployment. Therefore, Pi cannot be an immediate solution for a victim of
Related work
Researchers have followed two main directions in the investigation of techniques to mitigate spoofed source IP addresses: IP traceback and detection of spoofed packets. The goal of IP traceback is to find the true origin(s) of attack packets. One of IP traceback mechanisms is packet marking which can be either deterministic [81], [52], [54] or probabilistic [41], [44], [47], [53]. However, IP traceback has several drawbacks. For example, spoofed packets can destroy a victim’s network before
Conclusions
The BASE mechanism is suggested to fulfill the incremental deployment properties that are essential for adoption in current Internet environments. Along with distributed filtering, cryptographic packet marking, and on-demand filtering for the destination addresses of the victim’s network, the protective power is enhanced as BASE filters are distributed gradually. The BASE mechanism offers strong incremental deployment benefits over existing solutions because.
BASE is a promising approach for
Acknowledgments
We are grateful to Damon Smith and Jihoon Son for conducting the simulations and Geoffrey Hasker for valuable discussions. A preliminary version of this paper appeared in ACM Symp. on Information, Computer and Communication Security 2007 [88].
References (88)
- et al.
Vase: filtering IP spoofing traffic with agility
Comput. Netw.
(2013) - et al.
On deterministic packet marking
Comput. Netw.
(2007) - R. Beverly, A. Berger, Y. Hyun, K. Claffy, Understanding the efficacy of deployed internet source address validation...
- et al.
On the state of IP spoofing defense
ACM Trans. Internet Technol.
(2009) - et al.
Comparative evaluation of spoofing defenses
IEEE Trans. Defendable Secure Comput.
(2011) - CERT, TCP SYN Flooding and IP Spoofing Attacks, Advisory CA-96.21, September...
- et al.
Inferring internet denial-of-service activity
ACM Trans. Comput. Syst. (TOCS).
(2006) - ICS-CERT, NTP Reflection Attack, Advisory (ICSA-14-051-04), February 2014....
- A.N.A. Group, MIT ANA Spoofer Project, October 2011....
- K. Park, H. Lee, On the effectiveness of route-based packet filtering for distributed DoS attack prevention in...