The Spoofer Project: Inferring the Extent of Source Address Filtering on the Internet

Robert Beverly, Steven Bauer.
Proceedings of USENIX Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI 2005),
pp. 53-59, Cambridge, MA, July 2005.

By forging or "spoofing" the source address of an IP packet, a malicious user or compromised host can send packets toward a victim anonymously or employ reflector attacks. This talk presents an Internet-wide active measurement spoofing project. Clients source valid, bogon and martian spoofed UDP packets to determine source address filtering policy. We infer filtering granularity by performing adjacent netblock scanning. Our results are the first to quantify the extent and nature of filtering and the ability to spoof on the Internet. Approximately 23% of the observed netblocks and autonomous systems permit spoofing or employ automated configuration methods that allow partial spoofing. Projecting this number to the entire Internet, an approximation we show is reasonable, yields over 108M spoofable addresses and 4,000 spoofable networks. Our findings suggest that a large portion of the Internet is still vulnerable to spoofing and concerted attacks remain a serious concern.

[Postscript(554KB)] [PDF(113KB)] [BibTeX]
[Presentation Slides]

[ Return to publications ]