Detecting Spoofing at IXPs
0 likes209 views
This document discusses detecting spoofing at internet exchange points (IXPs). It begins by providing background on Cloudflare and some statistics on their global network. It then discusses how spoofing allows very small requests to become large distributed denial of service (DDoS) attacks. The document outlines Cloudflare's IXPantiSpoofer script, which matches MAC addresses from an IXP to autonomous system (AS) numbers to detect spoofing. It encourages improving detection methods and argues that IXPs could help alert members to misconfigurations and isolate malicious traffic, improving security for all members.
Detecting Spoofing at IXPs
- 1. Detecting Spoofing at IXPs APRICOT 2018 Tom Paseka
- 2. About Cloudflare Cloudflare makes websites faster and safer using our globally distributed network to deliver essential services to any website ● Performance ● Content ● Optimisation ● Security ● 3rd party services ● Analytics
- 3. Some numbers... ● 100+ PoPs ● 50+ Countries ● 150+ Internet exchanges ● >400bn Web requests a day ~10% of all web requests ● Regular DDoS attacks larger than 500Gbps, 300M PPS
- 4. Spoofing?
- 5. Spoofing? ● A very small request becomes a very big attack ● Lots of focus on fixing the applications causing the spoofing. ○ Not much on fixing the source of spoofing Some of the projects: ● openntpproject.org ● openresolverproject.org ● bcp38.info
- 6. Spoofed Attacks - History that we’ve seen When Nickname Type Volume 2011 SNMP Amp SNMP Amplification / Reflection 80Gbps 2013 Spamhaus DNS Amplification / Reflection 300Gbps 2014 "Winter of Attacks" Direct 400Gbps 2015 NTP Amp NTP Amplification / Reflection 400Gbps+ 2016 IoT Direct 500Gbps+
- 7. Why does this matter?
- 9. Why does spoofing matter? •This is my good friend Walt Wollny •Let’s say, he was assaulted, but it was by masked assailant •Without removing the mask, there can’t be legal retribution •Without attribution, there can be no discussion!
- 10. What about IXPs
- 11. Detecting Spoofing? ● Detecting spoofing can be challenging ● uRPF? ● Some Diagrams:
- 12. Where did the attack come from?
- 13. Where did the attack come from?
- 14. Detecting Spoofing ● Using flow (net, s, j, etc) it's easy to record incoming interface ● Simple logic can determine if it’s spoofed: An interface connected a hosting provider is highly unlikely to have traffic from Google IPs.
- 15. How about at an IXP?
- 16. How about at an IXP?
- 17. How about an IXP? ● OK, We can see the source interface on our router, but there are hundreds of possible sources on the other side. ● MAC addresses!
- 18. Enter some basic scripting!
- 19. sflowtool + my PHP = IXPantiSpoofer # sflowtool -p 9888 -l | php sflow.php defining AS-SETs to MAC matching loading the IRR data into memory. collecting flow data..... Packet didnt match irr: Source: 192.168.1.23, Destination:104.16.23.235, MAC:0ca4029f756a, IRR SET:AS-SKYNETBE
- 20. IXP anti Spoofer ● Script does several things: ○ Takes input of ARP table from your router (as a text file) ○ Downloads that ASN’s IRR set with bgpq3 and aggregate with aggregate/aggregate6 (manual step) ○ Receives sflow packets in text format from sflowtool (https://github.com/sflow/sflowtool) ○ Matches MAC address to IRR set and checks if IP address is member of IRR set. ● Code is here: https://github.com/tpaseka/IXPantiSpoofer
- 21. sflowtool + my awful PHP = IXPantiSpoofer # sflowtool -p 9888 -l | php sflow.php defining AS-SETs to MAC matching loading the IRR data into memory. collecting flow data..... Packet didnt match irr: Source: 192.168.1.23, Destination:104.16.23.235, MAC:0ca4029f756a, IRR SET:AS-SKYNETBE
- 22. Make it better! ● Improve detection of spoofing. ● Code it properly, re-implement away from PHP ● Make it faster! ● Use better libraries (hint: https://github.com/job/aggregate6 <3 Job) ● Collect metrics, draw pretty graphs ● IRR data isn’t 100%, but it's a first step.
- 23. Make it better! ● Get Cisco to support MAC address fields in NetFlow v9 ● Get Juniper to support MAC address fields in IPFIX/jflow ● Can’t reiterate the above enough ● Please add this support!
- 24. Make it better! Dear Cisco Juniper Other __________, I require your software to support the following feature(s) MAC data in IPFIX/jflow/NetFlow v9/10 traceroute: IPv6 traceroute with as-number-lookup not supported yet (Juniper ER: ER 28631) These features are business requirements needed for me to operate your product.
- 25. Make it better! ● Convince an IXP to run it! ● Huge value to report on spoofed traffic ● IXPs can help to alert members of misconfiguration for spoofing ● For malicious members, these can be stopped / isolated / disconnected ● Internet becomes a little bit better.
- 26. Make it better! ● I can already hear the IXPs saying “what about privacy?!” ● This can be done in preprocessing, you already process flow frames and this can be added ● What might it look like?
- 27. Make it better! <grafana of IXP traffic>
- 28. Make it better! ● Why stop here? ● IXPs can do further to help their members ● Further than source detection, look at destination detection ● Transit-detection? See if someone is sending a default to your port for free transit.
- 29. Summary ● Data is easy to collect and available in many cases already. ● Detection is simple. ● Identifying and stopping the source of spoofing greatly improves the internet for everyone. ● IXPs might be able to offer better products too!
- 30. Questions ? Criticisms ? General Banter?
- 31. Thank you!