TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
trackingSpoofedIp.pptx
1. Tracking Down Sources of Spoofed IP Packet
NAME : GOPIKA Y
REG NO : CEK19CS010
BATCH : S7 CSE
GUIDE : Mrs. GEETHU RAJU G
DEPARTMENT OF CSE
COLLEGE OF ENGINEERING,
KOTTARAKKARA
TRACKING DOWN SOURCES OF
SPOOFED IP PACKETS
2. Tracking Down Sources of Spoofed IP Packet
OVERVIEW
ABSTRACT
INTRODUCTION
EXISTING IP TRACEBACK METHODS
A NEW APPROACH
LOCATING SOURCES OF SPOOFED TRAFFIC
OPERATIONAL CONSIDERATIONS
CONCLUSION
REFERENCE
2
3. Tracking Down Sources of Spoofed IP Packet
ABSTRACT
3
IP spoofing, or IP address spoofing refers to the creation of Internet Protocol (IP) packets with a false source
IP address to impersonate another computer system in order to access sensitive personal information.
Lack of authentication in the internet’s data plane allows hosts to falsify (spoof) the source IP address in
packets headers, which forms the basis for amplification denial-of-service (DoS) attacks.
In a DoS attack, hackers use spoofed IP addresses to overwhelm computer servers with packets of data.
There are some methods used to trace these spoofed IP packets and we are discussing about that.
4. Tracking Down Sources of Spoofed IP Packet
INTRODUCTION
IP SPOOFING
It is a situation in which one person or person successfully masquerades as another by falsifying
information/data and thereby gaining an legitimate advantage.
Also called IP address forgery or host file hijack.
4
5. Tracking Down Sources of Spoofed IP Packet
5
TYPES OF IP SPOOFING ATTACK
The IP spoofing can further cause various attacks.
1. Blind Spoofing
2. Non-Blind Spoofing
3. Man-in-the-middle attack
4. Denial-of-service attack
6. Tracking Down Sources of Spoofed IP Packet
EXISTING IP TRACEBACK METHODS
6
Existing IP traceback methods can be categorized as Proactive and Reactive tracing
Proactive Tracing : Prepares information for tracing when packets are in transit.
Two proactive methods:
Packet marking
Messaging
Reactive Tracing : Starts tracing after an attack is detected.
7. Tracking Down Sources of Spoofed IP Packet
A NEW APPROACH
7
A network operator can estimate the volume of spoofed traffic received at each of its network’s peering
links and the set of networks routed toward each peering link (a catchment).
An operator can change the announcements for an IP prefix to induce changes to routes toward their
prefixes and, more importantly, in the catchment of each peering link.
The catchment changes, in turn, impact the volume of spoofed traffic observed at each peering link.
9. Tracking Down Sources of Spoofed IP Packet
9
In Configuration 1, the operator announces a prefix through three peering links with networks m, n, and p;
measures the catchment (colored polygons) and traffic arriving on each peering link; and identifies that the spoofed
traffic is concentrated on the link with n, i.e., sent by networks in n’s catchment (red arrow).
The operator later withdraws the announcement to n (Configuration 2), measures catchments and traffic volumes
again, and identifies that the spoofed traffic is now concentrated on the peering link with m.
Configuration 3 announces the prefix from n again, but poisoning AS u (which causes AS u to ignore the route
from n and choose the route from p instead). The operator can measure catchments and traffic to identify that the
spoofed traffic is concentrated on the peering link with p.
Finally, the operator can intersect the measured catchments to partition networks into clusters (bottom right), and
correlate clusters with observed spoofed traffic (red arrows) to identify that the spoofed traffic is concentrated on
networks comprising λ.
10. Tracking Down Sources of Spoofed IP Packet
LOCATING SOURCES OF SPOOFED TRAFFIC
10
1. INDUCED ROUTING CHANGES
a) Varying announcement locations
b) Iterative AS-path prepending
c) Targeted AS-path poisoning
2. CORRELATING OBSERVATIONS
3. ESTIMATING VOLUME OF SPOOFED TRAFFIC
11. Tracking Down Sources of Spoofed IP Packet
OPERATIONAL CONSIDERATIONS
11
1. Deployment Requirements
This technique generate anycast announcements.
Multiple small networks can cooperate to announce the same prefix and operate as a larger network that
controls all of their peering links.
2. Requirements on Spoofed Traffic
Our techniques can be applied even when the volume of spoofed traffic is small, as it only requires
information about which peering link is receiving spoofed traffic.
3. Measuring Catchment
Chose this approach as PEERING prefixes receive very little traffic and restricts active probing using its
resources
12. Tracking Down Sources of Spoofed IP Packet
CONCLUSION
Our control-plane traceback technique can be deployed by any network with rich connectivity today, without
changes to routers, and does not require cooperation from other networks.
Our results using the PEERING platform indicate that our proposed techniques to generate announcement
configurations can effectively manipulate routes and induce catchment changes, allowing tracking down the
sources of spoofed traffic.
12
13. Tracking Down Sources of Spoofed IP Packet
REFERENCE
[1] Osvaldo Fonseca, Italo Cunha, Elverton Fazzion, Brivaldo Junior, Ronaldo A. Ferreira and Ethan Katz-Bassett,
“Tracking Down Sources of Spoofed IP Packets”, in CoNEXT ’19 Companion, December 9–12,2019, Orlando,
FL, USA.
[2] Osvaldo Fonseca, Italo Cunha, Elverton Fazzion, Wagner Meira Jr., Brivaldo Junior, Ronaldo A. Ferreira and
Ethan Katz-Bassett, “Identifying Networks Vulnerable to IP Spoofing”, in 2021 IEEE Transactions on Network
and Service Management
[3] Alaaeldin A. Aly and Ezedin Barka, “Tracking and Tracing Spoofed IP Packets to Their Sources”, in 2022, The
Sixth Annual U.A.E. Research Conference
[4] Ayman Mukaddam, Imad Elhajj, Ayman Kayssi and Ali Chehab, “IP Spoofing Detection”, in 2014 IEE 28th
International Conference on Advanced Information Networking and Applications, 512-516, 2014.
13