Spoofer Project: State of IP Spoofing

Summary:
Current as of: Wed Apr 27 10:03:07 EST 2011 Total Tests: 25964 Unique Client Sessions: 17122

Home Stats Download s FAQ Papers Contact

New

Source address filtering:

Each test run spoofs addresses from adjacent netblocks, beginning with a direct neighbor (IP address + 1) all the way to an adjacent /8. The following figure displays the granularity of source address filtering (typically employed by service providers) along paths tested in our study. If the filtering is occurring on a /8 boundary for instance, a client within that network is able to spoof 16,777,215 other addresses.

Using the tracefilter mechanism, we measure filtering depth; where along the tested path (from each client to the server), filtering is employed. Depth represents the number of IP routers through which the client can spoof before being filtered.

Client tests originate at an autonomous system, i.e. a service provider. Here, we analyze the distribution of successful spoofing in relation to the size of the provider.

Using DNS heuristics, we analyze the distribution of results across different types of clients.

= Source address filtering in place Clien Privat Unallocat Valid t e ed Coun t

8262 271 8 532 9 13 31 10 Each test run attempts to send IP packets with different spoofed addresses in order to infer provider filtering policies. Private sources are those defined inRFC1918: e.g. 10/8, 172.16/12, 192.168/16 prefixes. Unallocated sources areIANA Reserved Addresses: e.g. 1/8, 89/8, 90/8 prefixes. Valid sources addresses

are those present in BGP routing tables

Geographic Distribution:
We assess the geographic distribution of clients in our dataset both to measure the extent of our testing coverage as well as to determine if any region of the world is more susceptible to spoofing. We use CAIDA's plot-latlong package to generate geographical maps.

Location of client tests

Location of spoofable networks

Failed Spoofs:
Predictably, some percentage of machines will not be able to spoof IP packets regardless of filtering policies. Some reasons are described in our FAQ. We exclude failed clients from our summary results but characterize some of the underlying reasons for failures that we are able to detect below: Total Completely Failed Spoof Attempts: 9153 Failed as a result of (non-Windows) Operating System block: 316 Failed as a result of being Behind a NAT: 3358 Failed as a result of Windows XP SP2: 575[note]

IPv6 Spoofing:
We began IPv6 probing with version 0.8 of the tester client. Unique IPv6 Sessions: 51 Spoofing rate (valid IPv6): 0.395% Spoofing rate (bogon IPv6): 0.376% Spoofing rate (link-local IPv6): 0.000%

About:
This report, provided by MIT ANA, intends to provide a current aggregate view of ingress and egress filtering and IP Spoofing on the Internet. While the data in this report is the most comprehensive of its type we are aware of, it is still an ongoing, incomplete project. The data here is representative only of the netblocks, addresses and autonomous systems (ASes) of clients from which we have received reports. The more client reports we receive the better - they increase our accuracy and coverage. Download and run our testing software to automatically contribute a report to our database. Note that this involves generating a small number of IP packets with spoofed source addresses from your box. This has yet to trip any alarms or cause problems for our contributors, but you run the software at your own risk. The software generates a customized report displaying the filtering policies of your Internet service provider(s). Feedback, comments and bug fixes welcome directly or on the Spoofer Mailing List. Contact Rob Beverly for more information. This page is regenerated six times daily. Last generated Wed Apr 27 10:03:07 EST 2011. * Spoofable and unspoofable counts represent actual client reports while estimates are extrapolated from the number of globally routeable netblocks, addresses and ASes respectively.

Individual clients are counted singly regardless of the number of tests performed.
Process Time: 0.012sec ; spoofer@exp1.npshoney.com