Home   Stats   Download   News   FAQ   Papers   Contact  

What:

The Spoofer project measures the Internet's susceptibility to spoofed source address IP packets. Malicious users capitalize on the ability to "spoof" source IP addresses for anonymity, indirection, targeted attacks and security circumvention. Compromised hosts on networks that permit IP spoofing enable a wide variety of attacks.

We measure various source address types (invalid, valid, private), granularity (can you spoof your neighbor's IP address?), and location (which providers are employing source address validation?) Our research is particularly relevant given the regular appearance of new spoofed-source-based exploits, despite decades of filtering effort.

Results:
We generate a summary report on the current "state" of Internet IP source address spoofing/filtering using data from an active measurement tool. Thus far, we've collected data from thousands of clients, networks and providers. More details and published results from our research are also available.
Software:
Please help! By downloading and running our software, you'll help advance the collective understanding of how to better protect the Internet. See screenshots of the tester in action, and a FAQ if you have questions. The following client packages are available (MD5 checksums):

BuildDescription
spoofer-win32-setup-0.8.exeWindows Binary
spoofer-osx-0.8.dmgMac OSX (universal) Binary
spoofer-linux-0.8.tar.gzLinux Binary
spoofer-0.8.tar.gzSource Code
changelogChangeLog
Does IP spoofing matter?:
In a word, yes. While botnets, NATs and existing source address validation efforts have changed the security landscape, IP spoofing remains a serious concern. New spoofing-based attacks regularly appear (most recently against the DNS infrastructure) despite decades of previous exploits and prevention/tracing attempts. Our FAQ covers many of the common questions about spoofing relevance.

The IP spoofing problem lies deep at the heart of the original Internet architecture which produced a network capable of remarkable scalability while relegating security to the end hosts. As a result, the public Internet includes no explicit notion of authenticity. Current prevention mechanisms suffer from incentive issues (employing filtering does not prevent a provider from receiving spoofed source packets), deployment difficulty and management complexity. Our research seeks to inform architectural design and security mechanisms for preventing future attacks.

Methodology:
The spoofer program attempts to send a series of spoofed UDP packets to servers distributed throughout the world. These packets are designed to test:
  • Different classes of spoofed traffic including bogons, RFC1918 and valid sources
  • Ability to spoof neighboring, adjacent addresses
  • Where along the path filtering is employed
  • Presence of a NAT device along the path
  • IPv6 filtering (where applicable)

Full details are available in our publications section.



$Id: index.php 824 2013-05-15 20:54:21Z rbeverly $
Process Time: 0.000sec