核心概念
The authors present SMap, the first Internet-wide scanner for measuring the deployment of ingress filtering to block spoofed packets, and find that over 72% of Autonomous Systems (ASes) in the Internet do not enforce ingress filtering.
要約
The authors present SMap, a system for performing comprehensive Internet-wide measurements of ingress filtering to detect networks that do not block spoofed packets. SMap uses three techniques - IPID, PMTUD, and DNS lookup - to actively probe popular services on networks and determine if spoofed packets can reach those services.
The key highlights of the SMap measurements are:
- SMap was able to scan over 90% of the ASes in the Internet, a significant improvement over previous studies that only covered a small fraction of networks.
- The authors found that 69.8% of all ASes in the Internet do not filter spoofed packets, much higher than the 2.4% reported in the latest Spoofer Project study.
- SMap identified 46,880 new spoofable ASes that were not detected in prior studies.
- The authors set up a web service to continuously monitor ingress filtering deployment and make the SMap implementation and datasets publicly available.
- Compared to previous approaches, SMap provides better coverage, scalability, representativeness, and stability of the measurement infrastructure.
The authors also discuss the ethical considerations around Internet-wide scanning and the techniques used in SMap to minimize the impact on scanned networks.
統計
63,522 ASes were scanned, covering over 90% of the Internet.
4,256,598 DNS servers, 16,478,938 Email servers, and 62,455,254 Web servers were identified across the tested networks.
51,046 ASes (80.90%) were found to not enforce ingress filtering of spoofed packets.
引用
"To protect themselves from attacks, networks need to enforce ingress filtering, i.e., block inbound packets sent from spoofed IP addresses. Although this is a widely known best practice, it is still not clear how many networks do not block spoofed packets."
"We found that 69.8% of all the Autonomous Systems (ASes) in the Internet do not filter spoofed packets and found 46880 new spoofable ASes which were not identified in prior studies."