SMap: Internet-wide Scanning for Ingress Filtering
To protect from attacks, networks need to enforce ingress filtering. Despite the importance, the existing studies do not allow to infer the extent of ingress filtering at Internet-scale, providing results with only a limited coverage: they can either measure networks that operate servers with faulty network-stack implementations, or require installation of the measurement software by volunteers, or assume specific properties, like traceroute loops, which are challenging to reproduce in practice. Improving coverage of the spoofing measurements is critical. In this work we present the Spoofing Mapper (SMap): the first scanner for performing Internet-wide studies of enforcement of ingress filtering. The SMap measurement methodology utilises standard protocols' behaviour that are present in almost any network. SMap not only provides better coverage of ingress-filtering measurements, but it is also more effective than the previous approaches. We applied SMap for Internet-wide measurements: we found that 21 of all the Autonomous Systems (ASes) in the Internet do not filter spoofed packets, in contrast to 2.5 volunteers (of the Spoofer Project), as well as 13173 new spoofable ASes, which were not detected by the other tools. Our study with SMap provides the most comprehensive view of ingress filtering deployment in the Internet and remediation in filtering spoofed packets over a period of six months until February 2020. SMap is simple to use and does not require installation on the tested network nor coordination with the tested networks. We set up a web service at http://141.12.72.78/ which reports statistics from SMap evaluations and enables continual Internet-wide data collection and analysis. We also make our datasets as well as the SMap tool publicly available to enable researchers to reproduce and validate the results.
READ FULL TEXT