Hi,
we are a team of researchers from TU Berlin [1] working on a measurement project to assess the ramifications of traffic with spoofed source IP addresses in the Internet.
To better understand the operational challenges that you as network operators face when deploying (or not deploying) source IP address filtering techniques, we'd like to invite you to participate in our survey.
If you could spare 5 minutes of your time, we'd be delighted if you could fill out our survey form and tell us about your current practices regarding network filtering.
To participate, please visit: [2] http://filteringsurvey.inet.tu-berlin.de/
If you have any concerns or questions, you can reply on-list or contact us via [3] filtering-survey@inet.tu-berlin.de. We will only publish anonymized results of this study and once we've analyzed your feedback we'll publish a digest of the results on-list if you're interested.
As you are probably subscribed to more network operator lists you might encounter this mail multiple times. We apologize for cross-posting, but in order to get results that will give us meaningful insights we need the broadest coverage we can get.
Thank you very much for your support!
Franziska Lichtblau
[1] www.inet.tu-berlin.de [2] http://filteringsurvey.inet.tu-berlin.de/ [3] filtering-survey@inet.tu-berlin.de
On 2017-03-01 09:58, Franziska Lichtblau wrote:
Hi,
we are a team of researchers from TU Berlin [1] working on a measurement project to assess the ramifications of traffic with spoofed source IP addresses in the Internet.
To better understand the operational challenges that you as network operators face when deploying (or not deploying) source IP address filtering techniques, we'd like to invite you to participate in our survey.
If you could spare 5 minutes of your time, we'd be delighted if you could fill out our survey form and tell us about your current practices regarding network filtering.
To participate, please visit: [2] http://filteringsurvey.inet.tu-berlin.de/
You are missing the option for:
"hardware does not support it at line rate"
Which is the most important excuse by the larger networks to not enable BCP38/SAVE[1]/MANRS[2].
Most smaller shops, where the traffic conditions fit inside the hardware budget, just do not care enough unfortunately...
Oh, and indeed, Switzerland is a bad place for BCP38, most networks allow spoofing on both IPv4 and IPv6.
Greets, Jeroen
[1] http://www.redbarn.org/internet/save [2] http://www.routingmanifesto.org/manrs/
On Wed, Mar 01, 2017 at 11:22:44AM +0100, Jeroen Massar wrote:
On 2017-03-01 09:58, Franziska Lichtblau wrote:
we are a team of researchers from TU Berlin [1] working on a measurement project to assess the ramifications of traffic with spoofed source IP addresses in the Internet.
To better understand the operational challenges that you as network operators face when deploying (or not deploying) source IP address filtering techniques, we'd like to invite you to participate in our survey.
If you could spare 5 minutes of your time, we'd be delighted if you could fill out our survey form and tell us about your current practices regarding network filtering.
To participate, please visit: [2] http://filteringsurvey.inet.tu-berlin.de/
You are missing the option for:
"hardware does not support it at line rate"
Which is the most important excuse by the larger networks to not enable BCP38/SAVE[1]/MANRS[2].
Good point! I hope people suffering from that will tell us that with the open option, but you're right we should have considered that.
Most smaller shops, where the traffic conditions fit inside the hardware budget, just do not care enough unfortunately...
That was my feeling.
Oh, and indeed, Switzerland is a bad place for BCP38, most networks allow spoofing on both IPv4 and IPv6.
Which is "kinda good" for me cause only answers from people who are implementing all of that won't help us much understanding whats going on ;)
Thank you! Franziska
On 2017-03-01 11:59, Franziska Lichtblau wrote: [..]
Oh, and indeed, Switzerland is a bad place for BCP38, most networks allow spoofing on both IPv4 and IPv6.
Which is "kinda good" for me cause only answers from people who are implementing all of that won't help us much understanding whats going on ;)
That is not "kinda good" as it means that spoofing can happen easily and those kind of attacks are much harder to trace than ones that do proper full TCP (or heck UDP).
But with this whole Mirai thing and hundreds of thousands of hosts being compromised of end-sites or Wordpress/Joomla/etc on servers with proper upstream connectivity, it really does not matter, as spoofing is not even really needed to properly DDoS any network, unless we are talking about distributed or properly anycasted networks.
Eyeball networks though are both the source of many problems and when miscreants figure out they can take down an eyeball network (which cannot be protected with tricks like anycast and throwing more resources at it, as pipe full == pipe full... *not a hint* ;) ) and ransom those networks, lots of fun will happen.
The fun part is then also that those networks will just not work, they will also get overloaded call centers which is amazing from a money perspective thus it will do a lot of damage.
But maybe then those eyeball networks finally will start taking action in cleaning up their userbase, thus IMHO, it can't happen early enough as then we finally will have a proper Internet where that nonsense gets taken care of instead of just ignored...
Greets, Jeroen
On Wed, Mar 01, 2017 at 12:50:49PM +0100, Jeroen Massar wrote:
On 2017-03-01 11:59, Franziska Lichtblau wrote: [..]
Oh, and indeed, Switzerland is a bad place for BCP38, most networks allow spoofing on both IPv4 and IPv6.
Which is "kinda good" for me cause only answers from people who are implementing all of that won't help us much understanding whats going on ;)
That is not "kinda good" as it means that spoofing can happen easily and those kind of attacks are much harder to trace than ones that do proper full TCP (or heck UDP).
You got me wrong there. I didn't mean to say it's good that the possibility for spoofing is out there. What I meant to convey was, that if I only speak to operators or regions where a ''perfect'' level of filtering is applied I will not get meaningful insights about why it is not done everywhere and how we can improve on that. That's one of the biggest challenges - to actually talk to the people who are not doing as we all would want them to.
But with this whole Mirai thing and hundreds of thousands of hosts being compromised of end-sites or Wordpress/Joomla/etc on servers with proper upstream connectivity, it really does not matter, as spoofing is not even really needed to properly DDoS any network, unless we are talking about distributed or properly anycasted networks.
That is completely true. But that's a completely different problem (which I used to work on very superficially). One that I'd actually like to see fixed, but I'm not sure what a research perspective (which is the one I can offer) can help there. I'm totally open to suggestions.
Eyeball networks though are both the source of many problems and when miscreants figure out they can take down an eyeball network (which cannot be protected with tricks like anycast and throwing more resources at it, as pipe full == pipe full... *not a hint* ;) ) and ransom those networks, lots of fun will happen.
There are things you can not not think once you've thought about them once ;) I agree - there's lots of potential fun out there....
The fun part is then also that those networks will just not work, they will also get overloaded call centers which is amazing from a money perspective thus it will do a lot of damage.
But maybe then those eyeball networks finally will start taking action in cleaning up their userbase, thus IMHO, it can't happen early enough as then we finally will have a proper Internet where that nonsense gets taken care of instead of just ignored...
The problem is always, that people need incentives - there's a good amount of people that you can get with the global idea of a well working community... but sadly not all of them. That's one of the reasons why we ask what are the incentives of people who try to keep their network clean and now we can lower the bars for those who are not yet there.
Greets, Franziska
On 2017-03-01 17:02, Franziska Lichtblau wrote:
On Wed, Mar 01, 2017 at 12:50:49PM +0100, Jeroen Massar wrote:
On 2017-03-01 11:59, Franziska Lichtblau wrote: [..]
Oh, and indeed, Switzerland is a bad place for BCP38, most networks allow spoofing on both IPv4 and IPv6.
Which is "kinda good" for me cause only answers from people who are implementing all of that won't help us much understanding whats going on ;)
That is not "kinda good" as it means that spoofing can happen easily and those kind of attacks are much harder to trace than ones that do proper full TCP (or heck UDP).
You got me wrong there. I didn't mean to say it's good that the possibility for spoofing is out there. What I meant to convey was, that if I only speak to operators or regions where a ''perfect'' level of filtering is applied I will not get meaningful insights about why it is not done everywhere and how we can improve on that. That's one of the biggest challenges - to actually talk to the people who are not doing as we all would want them to.
The only place where a 'perfect level of filtering' is in place is Finland.
And that is because FICORA (their ~BAKOM) has made BCP38 mandatory in 2014:
https://www.viestintavirasto.fi/attachments/cert/tietoturvakatsaukset/Cyber_...
And they have good successes with it. Google for the many reports about this by the great people from FICORA.
The rest of the world, you will not find a lot of BCP38 to the joy of many many people who provide 'security services' (be that booters/testers/etc or the ones selling protection against ddos)
But with this whole Mirai thing and hundreds of thousands of hosts being compromised of end-sites or Wordpress/Joomla/etc on servers with proper upstream connectivity, it really does not matter, as spoofing is not even really needed to properly DDoS any network, unless we are talking about distributed or properly anycasted networks.
That is completely true. But that's a completely different problem (which I used to work on very superficially). One that I'd actually like to see fixed, but I'm not sure what a research perspective (which is the one I can offer) can help there. I'm totally open to suggestions.
Research unfortunately won't solve BCP38 deployment either.
Regulatory enforcement like in Finland seems to be the only way.
Like IPv6, as long as there is no real business interest -- read: money can be made from it nothing will happen. (the eyeball networks getting ddossed of the net by bots on their own network for instance would make a business interest, again *not a hint* ;) )
Eyeball networks though are both the source of many problems and when miscreants figure out they can take down an eyeball network (which cannot be protected with tricks like anycast and throwing more resources at it, as pipe full == pipe full... *not a hint* ;) ) and ransom those networks, lots of fun will happen.
There are things you can not not think once you've thought about them once ;) I agree - there's lots of potential fun out there....
The fun part is then also that those networks will just not work, they will also get overloaded call centers which is amazing from a money perspective thus it will do a lot of damage.
But maybe then those eyeball networks finally will start taking action in cleaning up their userbase, thus IMHO, it can't happen early enough as then we finally will have a proper Internet where that nonsense gets taken care of instead of just ignored...
The problem is always, that people need incentives - there's a good amount of people that you can get with the global idea of a well working community...
That does not make a business incentive aka earning money though.
but sadly not all of them. That's one of the reasons why we ask what are the incentives of people who try to keep their network clean and now we can lower the bars for those who are not yet there.
Make a business case and then convince the management of ISPs about the risk of the Mirai hosts (and many others) in their network.
Because of Mirai existing though, BCP38 would not do anything to stop that, thus you'll have to find a better example botnet that actually spoofs. As long as Mirai and friends exist, spoofing is not needed and thus BCP38 only solves a little bit of a puzzle unfortunately.
As I note above: Regulatory requirement are likely the only way.
Greets, Jeroen
On 2017-03-01 23:49, Jeroen Massar wrote:
On 2017-03-01 17:02, Franziska Lichtblau wrote:
[..]
Related paper:
http://www.caida.org/publications/papers/2017/using_loops_observed_tracerout...
Using Loops Observed in Traceroute to Infer the Ability to Spoof
8<--- Despite source IP address spoofing being a known vulnerability for at least 25 years, and despite many efforts to shed light on the problem, spoofing remains a popular attack method for redirection, amplification, and anonymity. To defeat these attacks requires operators to ensure their networks filter packets with spoofed source IP addresses, known as source address validation (SAV), best deployed at the edge of the network where traffic originates. In this paper, we present a new method using routing loops appearing in traceroute data to infer inadequate SAV at the transit provider edge, where a provider does not filter traffic that should not have come from the customer. Our method does not require a vantage point within the customer network. We present and validate an algorithm that identifies at Internet scale which loops imply a lack of ingress filtering by providers. We found 703 provider ASes that do not implement ingress filtering on at least one of their links for 1,780 customer ASes. Most of these observations are unique compared to the existing methods of the Spoofer and Open Resolver projects. By increasing the visibility of the networks that allow spoofing, we aim to strengthen the incentives for the adoption of SAV. -->8
Greets, Jeroen
-
Franziska Lichtblau -
Jeroen Massar