DeepAI AI Chat
Log In Sign Up

Don't Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

02/02/2020
by   Maciej Korczynski, et al.
Université Grenoble Alpes
0

This paper concerns the problem of the absence of ingress filtering at the network edge, one of the main causes of important network security issues. Numerous network operators do not deploy the best current practice - Source Address Validation (SAV) that aims at mitigating these issues. We perform the first Internet-wide active measurement study to enumerate networks not filtering incoming packets by their source address. The measurement method consists of identifying closed and open DNS resolvers handling requests coming from the outside of the network with the source address from the range assigned inside the network under the test. The proposed method provides the most complete picture of the inbound SAV deployment state at network providers. We reveal that 32 673 Autonomous Systems (ASes) and 197 641 Border Gateway Protocol (BGP) prefixes are vulnerable to spoofing of inbound traffic. Finally, using the data from the Spoofer project and performing an open resolver scan, we compare the filtering policies in both directions.

READ FULL TEXT

page 1

page 2

page 3

page 4

06/09/2020

The Closed Resolver Project: Measuring the Deployment of Source Address Validation of Inbound Traffic

Source Address Validation (SAV) is a standard aimed at discarding packet...
01/24/2023

Source Address Validation

Source address validation (SAV) is a standard formalized in RFC 2827 aim...
03/12/2020

SMap: Internet-wide Scanning for Ingress Filtering

To protect from attacks, networks need to enforce ingress filtering. Des...
03/21/2023

Keep Your Friends Close, but Your Routeservers Closer: Insights into RPKI Validation in the Internet

IP prefix hijacks allow adversaries to redirect and intercept traffic, p...
02/15/2020

Autonomous Unknown-Application Filtering and Labeling for DL-based Traffic Classifier Update

Network traffic classification has been widely studied to fundamentally ...
04/20/2022

A Comprehensive Study of Accelerating IPv6 Deployment

Since the lack of IPv6 network development, China is currently accelerat...
06/11/2019

Chocolatine: Outage Detection for Internet Background Radiation

The Internet is a complex ecosystem composed of thousands of Autonomous ...