University of Twente Student Theses
Exposing Potential Origin Networks of Malicious Spoofed Traffic through Anycast Catchment Mapping
Palinckx, Bas (2025) Exposing Potential Origin Networks of Malicious Spoofed Traffic through Anycast Catchment Mapping.
|
PDF
3MB |
| Abstract: | Distributed Denial of Service (DDoS) attacks prevent users from accessing a service by flooding it with excessive, unsolicited traffic. A popular form is the Reflection & Amplification (R&A) attack. These take advantage of legitimate services by reflecting and amplifying their responses to victims. IP spoofing is integral to these attacks, as attackers change their source address to that of the victim, thereby masking their own. This makes retribution against these attackers very challenging. A relatively unexplored approach for exposing information about malicious spoofed traffic is to leverage the unique properties of anycast routing. Under anycast, multiple sites are configured so that clients are automatically connected to the site topologically closest to them. This means that if spoofed traffic arrives at a certain anycast site, the spoofer must be located near that site, regardless of what source address it uses. It is possible to analyze the catchment of networks that an anycast site serves using the Verfploeter technique, a method that relies on active IPv4 wide probing. For this study, we lure spoofed DDoS traffic to the Tangled anycast testbed, consisting of 32 widespread nodes. This is done by deploying the AmpPot honeypot at every location. With this setup, we can create a list of prospect origin networks where a spoofer potentially resides by filtering out networks from catchment measurements. This is done based on the assumed hop count from the spoofer. We validated this method with ground truth data provided by CAIDA’s Spoofer project. Based on our test subjects, we can narrow down a spoofer’s network by systematically eliminating up to 98% of known autonomous systems and routed prefixes. This sets the stage to determine more precisely where spoofed DDoS attacks originate, which can greatly help in retribution against attackers. |
| Item Type: | Essay (Master) |
| Faculty: | EEMCS: Electrical Engineering, Mathematics and Computer Science |
| Subject: | 54 computer science |
| Programme: | Computer Science MSc (60300) |
| Link to this item: | https://purl.utwente.nl/essays/106219 |
| Export this item as: | BibTeX EndNote HTML Citation Reference Manager |
Show download statistics for this publication
Show download statistics for this publicationRepository Staff Only: item control page