computers Article IP Spoofing In and Out of the Public Cloud: From Policy to Practice Natalija Vlajic *, Mashruf Chowdhury and Marin Litoiu Department of Electrical Engineering & Computer Science, York University, Toronto, ON M3J 1P3, Canada; [email protected] (M.C.); [email protected] (M.L.) * Correspondence: [email protected] Received: 28 August 2019; Accepted: 25 October 2019; Published: 9 November 2019 Abstract: In recent years, a trend that has been gaining particular popularity among cybercriminals is the use of public Cloud to orchestrate and launch distributed denial of service (DDoS) attacks. One of the suspected catalysts for this trend appears to be the increased tightening of regulations and controls against IP spoofing by world-wide Internet service providers (ISPs). Three main contributions of this paper are (1) For the first time in the research literature, we provide a comprehensive look at a number of possible attacks that involve the transmission of spoofed packets from or towards the virtual private servers hosted by a public Cloud provider. (2) We summarize the key findings of our research on the regulation of IP spoofing in the acceptable-use and term-of-service policies of 35 real-world Cloud providers. The findings reveal that in over 50% of cases, these policies make no explicit mention or prohibition of IP spoofing, thus failing to serve as a potential deterrent. (3) Finally, we describe the results of our experimental study on the actual practical feasibility of IP spoofing involving a select number of real-world Cloud providers. These results show that most of the tested public Cloud providers do a very good job of preventing (potential) hackers from using their virtual private servers to launch spoofed-IP campaigns on third-party targets. However, the same very own virtual private servers of these Cloud providers appear themselves vulnerable to a number of attacks that involve the use of spoofed IP packets and/or could be deployed as packet-reflectors in attacks on third party targets. We hope the paper serves as a call for awareness and action and motivates the public Cloud providers to deploy better techniques for detection and elimination of spoofed IP traffic. Keywords: IP spoofing; network security; cloud computing; firewalls; computer crime 1. Introduction IP spoofing—the simple act of modifying an IP packet by replacing its genuine source address with a forged one as illustrated in Figure1 has long been known as the key precursor for many di fferent forms of cyber attacks and illegitimate online activities, including man-in-the-middle (MitM) attacks, distributed denial of service (DDoS) attacks, ARP and DNS poisoning attacks, spoofed port scanning, etc. What makes IP spoofing particularly challenging for cybersecurity defenders is (a) the fact that no network is entirely immune to attacks that deploy IP spoofing, and (b) there are many readily available tools and programming packages that allow even moderately-skilled hackers to integrate IP spoofing into their attacks, such as Scapy, Hping, Libcrafter, etc. From a legal standpoint, IP spoofing in itself is not considered a criminal activity. As stated in [1], “Strictly speaking, the simple act of spoofing an identity is not illegal (i.e., no hacking is involved in the commission of the act). It only becomes illegal when a threat of death or violence is involved, or personal data are stolen in order to commit fraud or identity theft”. In fact, there are many legitimate reasons/operations that may require the use of packets with forged IP addresses (e.g., network troubleshooting, penetration testing, workload and stress testing, user anonymization, etc.). As a result, Computers 2019, 8, 81; doi:10.3390/computers8040081 www.mdpi.com/journal/computers Computers 2019, 8, x FOR PEER REVIEW 2 of 17 Computers 2019, 8, x FOR PEER REVIEW 2 of 17 network troubleshooting, penetration testing, workload and stress testing, user anonymization, etc.). Computers 2019, 8, 81 2 of 17 networkAs a result, troubleshooting, until relatively penetration recently, a testing, large number worklo ofad Internet and stress service testing, providers user anonymization, (ISPs) were turning etc.). Asa blind a result, eye until and allowingrelatively uninterrupted recently, a large transmission number of Internetof all sorts service of spoofed providers IP packets (ISPs) were generated turning by atheiruntil blind relativelycustomers. eye and allowing recently, However, auninterrupted large in the number past fewtransmission ofInternet years, the service of number all sorts providers of of ISPs spoofed (ISPs) that IPhave were packets started turning generated performing a blind by eye theiregressand allowingcustomers. filtering uninterrupted onHowever, their outbound in transmission the past traffic, few of byyears, all dr sortsopping the of number spoofed obviously IPof packetsISPs spoofed that generated haveoutgoing started by IP their performingpackets, customers. has egressgrownHowever, filtering considerably. in the on past their few This outbound years, has thelikely traffic, number come by ofas dr ISPs aopping result that have obviouslyof the started Mutually spoofed performing Agreed outgoing egress Norms IP filtering packets, for Routing on theirhas grownSecurityoutbound considerably. (MANRS) traffic, by initiative droppingThis has [2], obviouslylikely which come spoofedwas as introduceda result outgoing of inthe IP 2014 packets, Mutually by hasthe Agreed grownInternet considerably.Norms Society for (ISOC), Routing This hasthe Securityparentlikely come organization (MANRS) as a result initiative of of the the Internet Mutually[2], which Engineering Agreed was introduced Norms Task for Force Routingin 2014 (IETF) Securityby thestandards Internet (MANRS) body. Society initiative One (ISOC), of [2 ],the which thekey parentrecommendationswas introduced organization in 2014 imposed of bythe theInternet by Internet MANRS Engineering Society to its (ISOC), members Task the Force parent is that (IETF) organization ‘network standards operators of thebody. Internet implementOne Engineeringof the anti-key recommendationsspoofingTask Force filtering (IETF) standards imposedto prevent body.by packets MANRS One with of to the itsan key incorremembers recommendationsct sourceis that IP‘network address imposed operators from by MANRS entering implement to and its members leaving anti- spoofingtheiris that network’ ‘network filtering [2]. operators to To prevent date, implement more packets than anti-spoofingwith a hundred an incorre worldwide filteringct source to prevent network IP address packets operators from with entering (ISPs) an incorrect have and agreed sourceleaving to IP theirparticipateaddress network’ from in entering[2].MANRS, To date, and each leavingmore of themthan their arepresenting hundred network’ worldwide [2 ].dozens, To date, hundreds, network more than operators or a hundredin some (ISPs) cases, worldwide have thousands agreed network to of participatenetworkoperators subdomains (ISPs)in MANRS, have agreed [2]. each toof participatethem representing in MANRS, dozens, each ofhundreds, them representing or in some dozens, cases, hundreds,thousands or of in networksome cases, subdomains thousands [2]. of network subdomains [2]. Figure 1. Transmission of spoofed IP packets. FigureFigure 1. 1. TransmissionTransmission of of spoofed spoofed IP IP packets. packets. The Center for Applied Internet Data Analytics (CAIDA) [3] is a US-government funded group The Center for Applied Internet Data Analytics (CAIDA) [3] is a US-government funded group committedThe Center to performing for Applied comprehe Internet Datansive Analytics measurements (CAIDA) and [3] visualization is a US-government of various funded type ofgroup data committed to performing comprehensive measurements and visualization of various type of data committedpertaining to theperforming global Internet comprehe trafficnsive and measurements topology. Among and othervisualization publicly ofavailable various outputs type of of data this pertaining to the global Internet traffic and topology. Among other publicly available outputs of this pertaininggroup, the to real-time the global charts Internet depict trafficing andthe topology.global as wellAmong as country-by-countryother publicly available susceptibility outputs of tothis IP group, the real-time charts depicting the global as well as country-by-country susceptibility to IP spoofing group,spoofing the are real-time particularly charts interesting. depicting theAccording global asto wellthese as charts country-by-country (as of June 2019), susceptibility on average, to only IP are particularly interesting. According to these charts (as of June 2019), on average, only 15% to 30% of spoofing15% to 30%are particularlyof spoofed trafficinteresting. is not According successfully to thesedetected charts and (as blocked of June by 2019), worldwide on average, ISPs. only This spoofed traffic is not successfully detected and blocked by worldwide ISPs. This suggests that at present, 15%suggests to 30% that of at spoofed present, traffic globally, is not and successfully on average, detected ISPs do and a reasonably blocked by good worldwide job of dealing ISPs. Thiswith globally, and on average, ISPs do a reasonably good job of dealing with spoofed IP traffic. However, it suggestsspoofed thatIP traffic. at present, However, globally, it is and important on average, to note ISPs that do deviationsa reasonably from good this job average of dealing are withquite
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages17 Page
-
File Size-