Understanding the Efficacy of Deployed Internet Source Address Validation Filtering


Robert Beverly, Arthur Berger, Young Hyun, and k claffy.
Proceedings of the Ninth ACM SIGCOMM/USENIX Internet Measurement Conference (IMC 2009),
Chicago, Il, November 2009.

IP source address forgery, or ``spoofing,'' is a long-recognized consequence of the Internet's lack of packet-level authenticity. Despite historical precedent and filtering and tracing efforts, attackers continue to utilize spoofing for anonymity, indirection, and amplification. Using a distributed infrastructure and approximately 12,000 active measurement clients, we collect data on the prevalence and efficacy of current best-practice source address validation techniques. Of clients able to test their provider's source-address filtering rules, we find 31\% able to successfully spoof an arbitrary, routable source address, while 77\% of clients otherwise unable to spoof can forge an address within their own /24 subnetwork. We uncover significant differences in filtering depending upon network geographic region, type, and size. Our new \emph{tracefilter} tool for filter location inference finds 80\% of filters implemented a single IP hop from sources, with over 95\% of blocked packets observably filtered within the source's autonomous system. Finally, we provide initial longitudinal results on the evolution of spoofing revealing no mitigation improvement over four years of measurement. Our analysis provides an empirical basis for evaluating incentive and coordination issues surrounding existing and future Internet packet authentication strategies.

[Postscript(1024KB)] [PDF(356KB)] [BibTeX]
[Presentation Slides]

[ Return to publications ]