Sign In

Comprehensive Internet-wide Measurement of Ingress Filtering for Spoofed Packets

Core Concepts
The authors present SMap, the first Internet-wide scanner for measuring the deployment of ingress filtering to block spoofed packets, and find that over 72% of Autonomous Systems (ASes) in the Internet do not enforce ingress filtering.
The authors present SMap, a system for performing comprehensive Internet-wide measurements of ingress filtering to detect networks that do not block spoofed packets. SMap uses three techniques - IPID, PMTUD, and DNS lookup - to actively probe popular services on networks and determine if spoofed packets can reach those services. The key highlights of the SMap measurements are: SMap was able to scan over 90% of the ASes in the Internet, a significant improvement over previous studies that only covered a small fraction of networks. The authors found that 69.8% of all ASes in the Internet do not filter spoofed packets, much higher than the 2.4% reported in the latest Spoofer Project study. SMap identified 46,880 new spoofable ASes that were not detected in prior studies. The authors set up a web service to continuously monitor ingress filtering deployment and make the SMap implementation and datasets publicly available. Compared to previous approaches, SMap provides better coverage, scalability, representativeness, and stability of the measurement infrastructure. The authors also discuss the ethical considerations around Internet-wide scanning and the techniques used in SMap to minimize the impact on scanned networks.
63,522 ASes were scanned, covering over 90% of the Internet. 4,256,598 DNS servers, 16,478,938 Email servers, and 62,455,254 Web servers were identified across the tested networks. 51,046 ASes (80.90%) were found to not enforce ingress filtering of spoofed packets.
"To protect themselves from attacks, networks need to enforce ingress filtering, i.e., block inbound packets sent from spoofed IP addresses. Although this is a widely known best practice, it is still not clear how many networks do not block spoofed packets." "We found that 69.8% of all the Autonomous Systems (ASes) in the Internet do not filter spoofed packets and found 46880 new spoofable ASes which were not identified in prior studies."

Key Insights Distilled From

by Tianxiang Da... at 04-17-2024
SMap: Internet-wide Scanning for Spoofing

Deeper Inquiries

How can the findings from SMap be used to improve Internet security and encourage wider adoption of ingress filtering

The findings from SMap can be instrumental in improving Internet security by providing valuable insights into the extent of ingress filtering deployment across different networks. By identifying networks that do not filter spoofed packets, SMap highlights potential vulnerabilities that can be exploited by malicious actors for various cyber attacks. This information can be used to raise awareness among network operators and encourage them to implement proper filtering mechanisms to enhance their security posture. Moreover, the data collected by SMap can be utilized to create benchmarks and best practices for ingress filtering. By analyzing the characteristics of networks that do not enforce filtering, security professionals can develop guidelines and recommendations to help organizations strengthen their defenses against spoofing attacks. This can lead to a more secure Internet ecosystem overall. The findings from SMap can also be leveraged to drive wider adoption of ingress filtering. By showcasing the prevalence of networks that do not filter spoofed packets, SMap can serve as a catalyst for regulatory bodies, industry associations, and cybersecurity experts to advocate for mandatory filtering practices. This can lead to the establishment of standards and regulations that mandate ingress filtering as a fundamental security measure for all networks, thereby improving the overall security posture of the Internet.

What are the potential policy or regulatory measures that could be taken to address the high prevalence of networks that do not filter spoofed packets

To address the high prevalence of networks that do not filter spoofed packets, several policy and regulatory measures can be considered: Mandatory Compliance: Regulatory bodies can mandate that all networks, especially critical infrastructure providers, adhere to ingress filtering best practices. Non-compliance could result in penalties or fines, incentivizing organizations to prioritize security measures. Industry Standards: Industry associations and cybersecurity organizations can develop and promote standards for ingress filtering. By setting guidelines and best practices, they can encourage network operators to implement filtering mechanisms effectively. Public Awareness Campaigns: Government agencies and cybersecurity organizations can launch public awareness campaigns to educate network operators about the importance of ingress filtering. By highlighting the risks of not filtering spoofed packets, they can motivate organizations to take proactive security measures. Third-Party Audits: Implementing regular audits and assessments by third-party security firms can help identify networks that are not enforcing filtering. This can provide valuable feedback to organizations and help them improve their security practices. Collaborative Efforts: Encouraging collaboration among network operators, cybersecurity experts, and regulatory bodies can facilitate information sharing and best practice dissemination. By working together, stakeholders can collectively address the issue of networks not filtering spoofed packets.

What other techniques or approaches could be explored to further improve the coverage and accuracy of Internet-wide measurements of ingress filtering deployment

To further improve the coverage and accuracy of Internet-wide measurements of ingress filtering deployment, the following techniques or approaches could be explored: Passive Monitoring: Implementing passive monitoring techniques to analyze network traffic for signs of spoofing can provide real-time insights into ingress filtering practices. By observing actual traffic patterns, researchers can identify networks that do not filter spoofed packets more effectively. Machine Learning Algorithms: Leveraging machine learning algorithms to analyze network behavior and identify anomalies associated with spoofing can enhance the accuracy of measurements. By training models on large datasets, researchers can develop predictive tools for detecting networks that do not enforce filtering. Collaborative Data Sharing: Establishing partnerships with network operators to share data on ingress filtering practices can improve coverage and accuracy. By aggregating data from multiple sources, researchers can create a more comprehensive view of spoofing vulnerabilities across the Internet. Behavioral Analysis: Conducting behavioral analysis of network traffic to detect patterns indicative of spoofing can enhance measurement techniques. By studying the behavior of packets and their interactions with network devices, researchers can identify networks that are susceptible to spoofing attacks. Continuous Monitoring: Implementing continuous monitoring systems to track changes in ingress filtering deployment over time can provide valuable insights into network security trends. By regularly updating measurements and analyses, researchers can stay informed about evolving security practices in the Internet ecosystem.