Daniel Kopp successfully defended his Master thesis on Monday, December 15th, 2014, after working with da/sec period of May 2013 to December 2014.
IP spoofing is a well known security flaw of the Internet Protocol which is exploited to form various types of attacks. Being able of forging a senders IP address allows to perform network based attacks since the early days of the Internet. Nowadays, DoS has become the most important threat for Internet services with far-reaching consequences. DoS can be used to disrupt any system that is connected to the Internet. When used in combination with IP spoofing the significance of this attack can be magnified. On a regular basis DoS is used to blackmail companies, recent examples include attacks on Sipgate and Fidor Bank in October 2014. Prominent appearances of DoS include the Russo-Georgian War in 2008 and political unrests in Estonia in 2007, in which the computer infrastructure of parliaments, ministries, and banks was attacked. To tackle the problem of IP spoofing, the IETF proposed measures, when applied by all ISPs would solve the problem through address filtering. Unfortunately, surveys reveal that the implementation amongst ISPs remains constant at a deployment rate of approximately 50%. Therefore, IP spoofing remains an, open security issue for the Internet. Most research that has been published in the area of IP spoofing present improvements to the Internet Protocol to fix its design flaw or describes theoretical models to detect IP spoofing. Providing practical applications and results could give insight into the prevalence of IP spoofing and enable to examine spoofed packets to gain awareness on ongoing and new attack models.
Hence, this thesis proposes a new approach and implements a prototype to detect IP spoofing adapted to the environment of an Internet Exchange Point (IXP). The concept combines the knowledge of BGP routing paths and routing policies of Internet Routing Registries. During one week of observation at an ISP, 0.12% of the total observed data volume was identified to have spoofed IP addresses. Besides, the presentation of general results from the detection mechanism, two anomalies are exemplary analyzed and identified to be variants of DoS attacks. The results highlight the potential of the approach implemented within this thesis.