DeepAI AI Chat
Log In Sign Up

Don't Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

by   Maciej Korczynski, et al.
Université Grenoble Alpes

This paper concerns the problem of the absence of ingress filtering at the network edge, one of the main causes of important network security issues. Numerous network operators do not deploy the best current practice - Source Address Validation (SAV) that aims at mitigating these issues. We perform the first Internet-wide active measurement study to enumerate networks not filtering incoming packets by their source address. The measurement method consists of identifying closed and open DNS resolvers handling requests coming from the outside of the network with the source address from the range assigned inside the network under the test. The proposed method provides the most complete picture of the inbound SAV deployment state at network providers. We reveal that 32 673 Autonomous Systems (ASes) and 197 641 Border Gateway Protocol (BGP) prefixes are vulnerable to spoofing of inbound traffic. Finally, using the data from the Spoofer project and performing an open resolver scan, we compare the filtering policies in both directions.


page 1

page 2

page 3

page 4


The Closed Resolver Project: Measuring the Deployment of Source Address Validation of Inbound Traffic

Source Address Validation (SAV) is a standard aimed at discarding packet...

Source Address Validation

Source address validation (SAV) is a standard formalized in RFC 2827 aim...

SMap: Internet-wide Scanning for Ingress Filtering

To protect from attacks, networks need to enforce ingress filtering. Des...

Keep Your Friends Close, but Your Routeservers Closer: Insights into RPKI Validation in the Internet

IP prefix hijacks allow adversaries to redirect and intercept traffic, p...

Autonomous Unknown-Application Filtering and Labeling for DL-based Traffic Classifier Update

Network traffic classification has been widely studied to fundamentally ...

A Comprehensive Study of Accelerating IPv6 Deployment

Since the lack of IPv6 network development, China is currently accelerat...

Chocolatine: Outage Detection for Internet Background Radiation

The Internet is a complex ecosystem composed of thousands of Autonomous ...