Network Hygiene, Incentives, and Regulation: Deployment of Source Address Validation in the Internet

@article{Luckie2019NetworkHI,
  title={Network Hygiene, Incentives, and Regulation: Deployment of Source Address Validation in the Internet},
  author={Matthew J. Luckie and Robert Beverly and Ryan Koga and Ken Keys and Joshua A. Kroll and Kimberly C. Claffy},
  journal={Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security},
  year={2019}
}
  • M. Luckie, Robert Beverly, K. Claffy
  • Published 6 November 2019
  • Computer Science
  • Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
The Spoofer project has collected data on the deployment and characteristics of IP source address validation on the Internet since 2005. Data from the project comes from participants who install an active probing client that runs in the background. The client automatically runs tests both periodically and when it detects a new network attachment point. We analyze the rich dataset of Spoofer tests in multiple dimensions: across time, networks, autonomous systems, countries, and by Internet… 
Don't Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic
TLDR
The first Internet-wide active measurement study to enumerate networks not filtering incoming packets by their source address, and reveals that 32 673 Autonomous Systems and 197 641 Border Gateway Protocol (BGP) prefixes are vulnerable to spoofing of inbound traffic.
The Closed Resolver Project: Measuring the Deployment of Source Address Validation of Inbound Traffic
TLDR
The first Internet-wide active measurement study to enumerate networks that filter or do not filter incoming packets by their source address, for both the IPv4 and IPv6 address spaces, and identifies dual-stacked DNS resolvers that accept spoofed requests coming from the outside of their network.
SMap: Internet-wide Scanning for Spoofing
TLDR
The Spoofing Mapper (SMap) is presented: the first scanner for performing Internet-wide studies of ingress filtering and evaluates spoofability of networks utilising standard protocols that are present in almost any Internet network.
SMap: Internet-wide Scanning for Ingress Filtering Draft (February 2020)
TLDR
The Spoofing Mapper (SMap) is presented: the first scanner for performing Internet-wide studies of enforcement of ingress filtering, and not only provides better coverage of the Internet ingress-filtering measurements in contrast to previous studies, but it is also more effective than the previous approaches.
SAVing the Internet: Explaining the Adoption of Source Address Validation by Internet Service Providers
TLDR
It is found that ISPs in countries with more developed ICT infrastructures are also more likely to have a wider adoption of SAV, and larger ISPs have a higher proportion of non-compliant IP space.
SMap: Internet-wide Scanning for Ingress Filtering
TLDR
This work presents the Spoofing Mapper (SMap), the first scanner for performing Internet-wide studies of enforcement of ingress filtering, and finds that 21% of all the Autonomous Systems in the Internet do not filter spoofed packets, in contrast to 2.5% identified by the most recent study with volunteers.
Behind Closed Doors: A Network Tale of Spoofing, Intrusion, and False DNS Security
TLDR
This work surveys the pervasiveness of networks vulnerable to infiltration using spoofed addresses internal to the network, and identifies nearly 4,000 DNS server instances vulnerable to cache poisoning attacks due to insufficient---and often non-existent---source port randomization.
Inferring the Deployment of Inbound Source Address Validation Using DNS Resolvers
TLDR
The study gives the most complete picture of the inbound Source Address Validation deployment at network providers: 32,673 IPv4 ASes and 197,641 IPv4 BGP prefixes are vulnerable to spoofing of inbound traffic.
Trust Zones: A Path to a More Secure Internet Infrastructure
  • Clark, claffy
  • Computer Science
    Journal of Information Policy
  • 2020
TLDR
A path to measurably improve a particular set of Internet infrastructure security weaknesses is proposed, which would reduce the risk to the level that users are not fearful of using the Internet, while preserving the core benefits of the Internet—the freedom from unnecessary constraint.
From IP to transport and beyond: cross-layer attacks against applications
TLDR
This study performs the first analysis of methodologies for launching DNS cache poisoning: manipulation at the IP layer, hijack of the inter-domain routing and probing open ports via side channels against DNS resolvers in the Internet and compares them with respect to effectiveness, applicability and stealth.
...
...

References

SHOWING 1-10 OF 63 REFERENCES
Using Loops Observed in Traceroute to Infer the Ability to Spoof
TLDR
A new method using routing loops appearing in traceroute data to infer inadequate SAV at the transit provider edge, where a provider does not filter traffic that should not have come from the customer.
Understanding the efficacy of deployed internet source address validation filtering
TLDR
This work collects data on the prevalence and efficacy of current best-practice source address validation techniques and provides an empirical basis for evaluating incentive and coordination issues surrounding existing and future Internet packet authentication strategies.
The spoofer project: inferring the extent of source address filtering on the internet
TLDR
The results are the first to quantify the extent and nature of filtering and the ability to spoof on the Internet and suggest that a large portion of the Internet is vulnerable to spoofing and concerted attacks employing spoofing remain a serious concern.
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates
TLDR
It is shown that, even with partial deployment on the Internet, IDPFs can proactively limit the spoofing capability of attackers and can help localize the origin of an attack packet to a small number of candidate networks.
Don't Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy
TLDR
A detailed study of where port blocking policy is being applied in IPv6 finds that protocol openness discrepancies are consistent within network boundaries, suggesting a systemic failure in organizations to deploy consistent security policy.
Detection, classification, and analysis of inter-domain traffic with spoofed source IP addresses
TLDR
This paper proposes and evaluates a method to passively detect spoofed packets in traffic exchanged between networks in the inter-domain Internet, and applies it to classify the traffic exchange between more than 700 networks at a large European IXP.
Toward Incentivizing Anti-Spoofing Deployment
TLDR
Evaluation results show that MEF is the only method that achieves monotonically increasing deployment incentives for all types of spoofing attacks, and the system design is lightweight and practical.
Passport: Secure and Adoptable Source Authentication
TLDR
The adoptability modeling shows that Passport provides stronger security and deployment incentives than alternatives such as ingress filtering, because the ISPs that adopt it protect their own addresses from being spoofed at each other's networks even when the over-all deployment is small.
Weak Keys Remain Widespread in Network Devices
TLDR
It is found that many vendors appear to have never produced a patch, and observed little to no patching behavior by end users of affected devices.
You've Got Vulnerability: Exploring Effective Vulnerability Notifications
TLDR
An extensive study of notifying thousands of parties of security issues present within their networks, with an aim of illuminating which fundamental aspects of notifications have the greatest impact on efficacy.
...
...