Current as of:
Tue Jun 11 20:54:18 EST 2013
Total Tests:
30542
Unique Client Sessions:
20311
| Source address filtering:
|
|
|
|
Each test run spoofs addresses from adjacent netblocks, beginning with
a direct neighbor (IP address + 1) all the way to an adjacent /8.
The following figure displays the granularity of source address filtering
(typically employed by service providers) along paths tested in our study. If
the filtering is occurring on a /8 boundary for instance, a client within that
network is able to spoof 16,777,215 other addresses.
|
Using the tracefilter mechanism, we measure
filtering depth; where along the tested path (from each client to the server),
filtering is employed. Depth represents the number of IP routers through
which the client can spoof before being filtered.
|
|
|
|
Client tests originate at an autonomous system, i.e. a service
provider. Here, we analyze the distribution of successful
spoofing in relation to the size of the provider.
|
Using DNS heuristics, we analyze the distribution of results
across different types of clients.
|
 = Source address filtering in place
| Private | Unallocated | Valid | Client Count |
|---|
|
|
|
10247 |
|
|
|
271 |
|
|
|
8 |
|
|
|
611 |
| |
|
|
10 |
| |
|
|
13 |
| |
|
|
32 |
| |
|
|
11 |
|
|
|
Each test run attempts to send IP packets with different
spoofed addresses in order
to infer provider filtering policies.
Private sources are those defined in
RFC1918:
e.g. 10/8, 172.16/12, 192.168/16 prefixes.
Unallocated sources are
IANA Reserved Addresses:
e.g. 1/8, 89/8, 90/8 prefixes.
Valid sources addresses are those
present in BGP routing tables
|
|
We assess the geographic distribution of clients in
our dataset both to measure the extent of our testing coverage as
well as to determine if any region of the world is more susceptible to
spoofing. We use
CAIDA's
plot-latlong package to generate
geographical maps.
|
|
| Location of client tests
| Location of spoofable networks
|
Predictably, some percentage of machines will not be able to spoof IP
packets regardless of filtering policies. Some reasons are described
in our
FAQ. We exclude failed
clients from our summary results but characterize some of the underlying
reasons for failures that we are able to detect below:
Total Completely Failed Spoof Attempts: 11153
Failed as a result of (non-Windows) Operating System block: 331
Failed as a result of being Behind a NAT: 3707
Failed as a result of Windows XP SP2: 575[note]
We began IPv6 probing with version 0.8 of the tester client.
Unique IPv6 Sessions: 232
Spoofing rate (valid IPv6): 0.383%
Spoofing rate (bogon IPv6): 0.368%
Spoofing rate (link-local IPv6): 0.000%
This report, provided by
CMAND,
intends to provide a current aggregate view of ingress and egress
filtering and IP Spoofing on the Internet. While the data in this report
is the most comprehensive of its type we are aware of, it is still an
ongoing, incomplete project. The data here is representative
only of the netblocks, addresses and autonomous systems (ASes) of clients
from which we have received reports. The more client reports we receive
the better - they increase our accuracy and coverage.
Download and run our
testing software
to automatically contribute a report to our database. Note that this
involves generating a small number of IP packets with spoofed source addresses
from your box. This has yet to trip any alarms or cause problems for
our contributors, but you run the software at your own risk. The software
generates a customized report displaying the filtering policies of your
Internet service provider(s).
Feedback, comments and bug fixes welcome directly or on the
Spoofer Mailing List. Contact Rob Beverly
for more information.
This page is regenerated six times daily. Last generated Tue Jun 11 20:54:18 EST 2013.
* Spoofable and unspoofable counts represent actual client reports while
estimates are extrapolated from the number of globally
routeable netblocks, addresses and ASes respectively.
Individual clients are counted singly regardless of the number of tests
performed.
Spoofer Project: State of IP Spoofing
