Source Address Validation (SAV) is a standard aimed at discarding packets with spoofed source IP addresses. The absence of SAV for outgoing traffic has been known as a root cause of Distributed Denial-of-Service (DDoS) attacks and received widespread attention. While less obvious, the absence of inbound filtering enables an attacker to appear as an internal host of a network and may reveal valuable information about the network infrastructure. Inbound IP spoofing may amplify other attack vectors such as DNS cache poisoning or the recently discovered NXNSAttack. In this paper, we present the preliminary results of the Closed Resolver Project that aims at mitigating the problem of inbound IP spoofing. We perform the first Internet-wide active measurement study to enumerate networks that filter or do not filter incoming packets by their source address, for both the IPv4 and IPv6 address spaces. To achieve this, we identify closed and open DNS resolvers that accept spoofed requests coming from the outside of their network. The proposed method provides the most complete picture of inbound SAV deployment by network providers. Our measurements cover over 55 % IPv4 and 27 % IPv6 Autonomous Systems (AS) and reveal that the great majority of them are fully or partially vulnerable to inbound spoofing. By identifying dual-stacked DNS resolvers, we additionally show that inbound filtering is less often deployed for IPv6 than it is for IPv4. Overall, we discover 13.9 K IPv6 open resolvers that can be exploited for amplification DDoS attacks - 13 times more than previous work. Furthermore, we enumerate uncover 4.25 M IPv4 and 103 K IPv6 vulnerable closed resolvers that could only be detected thanks to our spoofing technique, and that pose a significant threat when combined with the NXNSAttack.
翻译:源地址验证(SAV)是一项旨在丢弃源IP地址伪造数据包的标准。出站流量缺乏SAV已被公认为分布式拒绝服务(DDoS)攻击的根本原因,并受到广泛关注。虽然不太明显,但入站过滤的缺失使攻击者能够伪装成网络的内部主机,并可能泄露网络基础设施的敏感信息。入站IP欺骗可能放大其他攻击向量,例如DNS缓存投毒或最近发现的NXNSAttack。本文展示了封闭解析器项目的初步结果,该项目旨在缓解入站IP欺骗问题。我们首次开展互联网范围的主动测量研究,枚举针对IPv4和IPv6地址空间入站数据包按源地址进行过滤或不过滤的网络。为此,我们识别出接受来自其网络外部伪造请求的封闭和开放DNS解析器。所提出的方法提供了网络运营商部署入站SAV的最全面图景。我们的测量覆盖超过55%的IPv4和27%的IPv6自治系统(AS),并表明其中绝大多数完全或部分易受入站欺骗攻击。通过识别双栈DNS解析器,我们进一步发现IPv6的入站过滤部署频率低于IPv4。总体而言,我们发现了13.9万个可被用于放大DDoS攻击的IPv6开放解析器——是先前工作的13倍。此外,我们枚举出425万个IPv4和10.3万个IPv6易受攻击的封闭解析器,这些解析器仅通过我们的欺骗技术才能被检测到,且与NXNSAttack结合时构成重大威胁。