![[CAIDA - Center for Applied Internet Data Analysis logo]](/images/caida_globe_faded.png "Go to CAIDA home page")
Sponsored by:
Seeking to minimize Internet's susceptibility to spoofed DDoS attacks, we will develop, build, and operate multiple open-source software tools to assess and report on the deployment of source address validation (SAV) best anti-spoofing practices.
Funding source: DHS S&T contract D15PC00188. Period of performance: August 3, 2015 - March 31, 2017; April 1, 2017 - July 31, 2018 (optional).
Statement of Work (Completed)
Period I: Applied Research and Development (8 months, August 1, 2015 - March 31, 2016)
| Task 1: Develop and deploy new client-server SAV testing system | ||||
| 1.1 | Develop an extensible JSON-based structured data communications protocol for negotiating and coordinating complex spoofed packets measurements between the client and our server.
Specifications: (a) set probing parameters (e.g., where to send spoofed packets, how to encode packets, etc.) (b) encode traceroute measurements to determine the location of SAV filters (c) report test results back to the client |
|||
| 1.2 | Develop and release server software to be easily deployed by network operators for scheduling and coordinating SAV measurements, and transmitting results to a database | |||
| 1.3 | Deploy a server instance at CAIDA to support a public view of SAV deployment | |||
| 1.4 | Develop and release client software.
Specifications: (a) can run in the background on Windows, MacOS, and UNIX-like systems (b) regularly (weekly) test the ability to send and receive spoofed packets (c) include intuitive GUI to communicate results to the user (d)support opportunistic measurement by mobile laptops (e) use link-layer sockets to send spoofed packets as complete Ethernet frames (f) implement traceroute to help determine the location of SAV filtering |
|||
| Task 2: Develop and deploy new reporting system to focus SAV compliance attention | ||||
| 2.1 | Build a reporting engine that will correlate coverage of SAV tests with various characteristics of tested networks: type (e.g., access, transit), country of operation, IP reputation, their country's transparency of governance | |||
| 2.2 | Generate ingress access lists for all stub ASes that a transit provider could validate and deploy | |||
| 2.3 | Identify the fraction of customers of each transit provider in each region that have been observed spoofing packets | |||
| 2.4 | Identify transit providers who should be encouraged to deploy our ingress access lists | |||
| 2.5 | Build a public website to report per-network test outcomes, highlighting the most recent tests, on the specialized server at CAIDA | |||
| 2.6 | Enable privacy-preserving features to anonymize individual IP addresses when necessary | |||
| 2.7 | Add a searching functionality to allow any user to query for results for any network | |||
| 2.8 | Incorporate our stakeholder-focused analysis into the public website | |||
| Task 3: Research use of IXPs as a vantage point for SAV best practice assessment | ||||
| 3.1 | Investigate methods to automatically build lists of customer cone prefixes belonging to IXP participants | |||
| 3.2 | Identify IXP participants with inadequate SAV deployment by analyzing packets captured at anycast DNS root-server instances deployed at IXPs and finding source addresses outside of the customer cones | |||
| 3.3 | Demonstrate to IXPs the measurement capabilities that can illuminate the SAV hygiene practices of their participating networks | |||
Milestones and Deliverables (Period I)
| # | Milestone | Deliverable | Date | Status |
|---|---|---|---|---|
| 1 | Report: Extensible client-server protocol | Nov 1, 2015 | done | |
| 2 | Develop initial prototypes of client and server software | Dec 1, 2015 | done | |
| 3 | Deploy a supported instance of server software at CAIDA | Feb 1, 2016 | done | |
| 4 | Evaluate utility of DNS root-server data to obtain external view of IXP hygiene | Report: Spoofed traffic to DNS root-servers | Feb 1, 2016 | done |
| 5 | Deploy public website to show outcomes of tests | Software: Public website | Mar 31, 2016 | done |
| 6 | Final Report | Mar 31, 2016 | done |
Period II: Development (12 months, April 1, 2016 - March 31, 2017)
| Task 1: Refine client-server testing tools and reports according to experiences and feedback | ||||
| 1.1 | Organize demonstration of software capabilities for DHS at the appropriate site/occasion (DHS site visit to CAIDA, a Program Meeting, or at DHS chosen site) | |||
| 1.2 | Deliver completed and tested client and server software to DHS | |||
| 1.3 | Publicly release the client-server software | |||
| 1.4 | Integrate telescope backscatter data into reporting system to display trends in randomly spoofed DDoS attacks over time
Specifications: (a) incorporate characteristics of the targeted networks: type (e.g., access, transit), country of operation, IP reputation, their country's transparency of governance (b) use historic CAIDA data collected since 2004 to provide a baseline for DDoS trends |
|||
| 1.5 | Add support to client and server tools to determine whether a tested AS discards packets at the edge of its network arriving from outside of the network but purporting to be from inside the network | |||
| 1.6 | Adjust probing strategies of client tools based on operational experience to minimize unnecessary tests | |||
| Task 2: Research and develop a traceroute SAV-analysis system to infer providers that do not apply SAV to customers | ||||
| 2.1 | Research methods and develop implementation to infer provider-customer links that imply lack of SAV by the provider | |||
| 2.2 | Report our inferences on the spoofer website | |||
| 2.3 | Ccontinuously generate customer cone prefixes to enable an up-to-date view of valid customer prefixes for a specified AS | |||
| 2.4 | Implement a query interface to dynamically report prefixes in the customer cone of a specified AS for the convenience of IXP operators | |||
Milestones and Deliverables (Period II)
| # | Milestone | Deliverable | Date | Status |
|---|---|---|---|---|
| 1 | Presentation: Demonstrating software to DHS | Aug 1, 2016 | done | |
| 2 | Provide DHS with completed client and server software, make software public | Software: release | May 1, 2016 | done |
| 3 | Present intermediate results to industry group (e.g., NANOG) | Aug 1, 2016 | done | |
| 4 | Evaluate utility of system that uses traceroute data to infer provider-customer links without deployed best practices | Sep 1, 2016 | done | |
| 5 | Report: Viability of traceroute SAV system | Oct 1, 2016 | done | |
| 6 | Incorporate trends over time and properties of networks that do not filter spoofed packets into the reporting system | Software: Updated reporting system | Oct 1, 2016 | done |
| 7 | Deploy web-based system to return customer cone prefixes for ASes | Dec 1, 2016 | done | |
| 8 | Recommend strategies for region-specific SAV focus | Report: SAV analysis with new data types | Mar 31, 2017 | done |
| 9 | Release client-server software that tests ability of client to receive spoofed packets | Software: Year-end release | Mar 31, 2017 | done |