Post on 05-Feb-2016
description
Dude, where’s that IP? Circumventing measurement-based IP geolocation
Paper Presentation CAP6135: Malware and Software Vulnerability
Analysis – Spring 2013Omar Nakhila
Citation and acknowledgement
• Gill, Phillipa, Yashar Ganjali, and Bernard Wong. "Dude, Where’s That IP? Circumventing Measurement-based IP Geolocation." USENIX Security Symposium 19th , Washington DC, August 11-13, 2010.
• http://en.wikipedia.org/wiki/Speed_of_electricity
2
Presentation Agenda
• What is IP geolocation?• Why IP geolocation?• IP geolocation classification and
attacks.• Paper contribution.• Paper weakness.• Paper improvement.• Questions and answers.3
What is IP geolocation?• IP geolocation aims to solve the problem of
determining the geographic location of a given IP address.
4
Presentation Agenda
• What is IP geolocation?• Why IP geolocation?• IP geolocation classification and
attacks.• Paper contribution.• Paper weakness.• Paper improvement.• Questions and answers.5
Why IP geolocation?• Online advertisers and search engines
advertise their content based on the client’s location.
6
Why IP geolocation? Cont.• Online content providers such as :– Hulu.– Youtube– etc.limit their content distribution to specific geographic
regions.
7
Why IP geolocation? Cont.• Law enforcement.
9
Presentation Agenda
• What is IP geolocation?• Why IP geolocation?• IP geolocation classification and
attacks.• Paper contribution.• Paper weakness.• Paper improvement.• Questions and answers.10
IP geolocation classification
• Passive IP geolocation.– Ueses geolocation databases such as :• MaxMind.• Quova.
• Active IP geolocation.– Delay-based.• Constraint-Based Geolocation (CBG)
– Topology-aware.• Octant.
– Other.
11
Delay-based IP geolocation
• Constraint-Based Geolocation (CBG)
Landmark A
Landmark B
Landmark C
User IP Location (Target)
PingPing
D_AB=x1
D_AC=x2
Ping
y3
x3
Best Line Function
12
Delay-based IP geolocation
• Constraint-Based Geolocation (CBG)
Landmark A
Landmark B
Landmark C
User IP Location (Target)
x313
Delay-based IP geolocation attack
• Constraint-Based Geolocation (CBG)– Speed of light attack.• Delay time = Distance / Speed• Speed of electricity in an unshielded copper conductor
ranges 95 to 97% that of the speed of light, while in a typical coaxial cable it is about 66% of the speed of light.
– Best line attack.• The attacker has access to the best line function in
landmarks!x3
y3
14
Delay-based IP geolocation attack.
Landmark C Landmark A
Landmark B
User IP Location (Real
Location)
User IP Location (Fake
Location)
Ping
x3
y3
ϴ error
ϵ error
User IP Location (Desired Fake Location)
15
Delay-based IP geolocation attack evaluation
16
Delay-based geolocation attack evaluation
17
Delay-based IP geolocation attack results
SOL Best line function
18
Delay-based IP geolocation attack results
19
Limiting delay-based IP geolocation attack
20
Topology-aware IP geolocation
• Octant
Landmark A
Landmark B
Landmark C
User IP Location (Target)
Using TracertAnd ping
21
Topology-aware IP geolocation
• Octant single gateway
Landmark A
Landmark B
Landmark C
User IP Location (Target)
Using TracertAnd ping
Delay of the last route
22
Topology-aware IP geolocation
• Octant single gateway based attack
Landmark A
Landmark B
Landmark C
User IP Location (Target)
Using TracertAnd ping
23
• Octant multi-gateway based.
Topology-aware IP geolocation
Landmark A
Landmark B
Landmark C
User IP Location (Target)
Using TracertAnd ping
24
Delay of the last route
Delay of the last route
Delay of the last route
• Octant multi-gateway based attack.
Topology-aware IP geolocation attack.
Landmark A
Landmark B
Landmark C
User IP Location (Target)
Using TracertAnd ping
User IP Location (Fake
Location)
25
Topology-aware IP geolocation attack.
• Naming attack, can effect on both single and mutli-gateway topology-aware geolocation.
• The attack based on undns tool.• Each router will have a DNS domain name.• undns tool will map router DNS domain name to a
city. • This naming attack requires the attacker is capable
of crafting a domain name that can deceive the undns tool.
26
Topology-aware IP geolocation
• Octant naming attack.
Landmark A
Landmark B
Landmark C
User IP Location (Target)
Using TracertAnd ping
Domain name belongs to Nevada
Fake Router Location
27
Topology-aware IP geolocation attack simulation.
GatewaysFake Router
Fake location
• 4 gateway routers (Black Colored) • 11 forged locations (T ) ( White Colored) • and 14 non-existent internal routers (F) (Red Colored)• 80 Targets (50 North America and 30 European)
28
Topology-aware geolocation attack results
29
Topology-aware geolocation attack results
30
Presentation Agenda
• What is IP geolocation?• Why IP geolocation?• IP geolocation classification and attacks.• Paper contribution.• Paper weakness.• Paper improvement.• Questions and answers.
31
Paper Contribution• The paper surveyed that the current IP
geolocation algorithms such as (CBG and Octant) accuracies of 35-194 km, making them suitable for geolocation within a country.
• Also, the paper illustrated how the above IP geolocation algorithm can be vulnerable.
• Then, the paper proposed that a delay based attack can be detected by setting a certain threshold to the size of the localization region.
32
Presentation Agenda
• What is IP geolocation?• Why IP geolocation?• IP geolocation classification and attacks.• Paper contribution.• Paper weakness.• Paper improvement.• Questions and answers.
33
Paper Weakness• The paper didn’t explain the complexity of
gaining access to the best line function.• The paper also didn’t explain the complexity to
manipulate undns tool.• Lack of an efficient detection method to catch
undns topology-aware IP geolocation attack.• The scientific reasoning for PlantLab landmarks
distribution with the relation to the IP geolocation was not clear.
• Using ping and trace-route to measure the delay time and route information is not recommended since administrator tend to drop theses types of packets.34
Presentation Agenda
• What is IP geolocation?• Why IP geolocation?• IP geolocation classification and attacks.• Paper contribution.• Paper weakness.• Paper improvement.• Questions and answers.
35
Paper Improvement
• The impact of Landmarks distribution on both attacks.
• Study the effect of using a reliable protocols to limit both attacks.
36
Presentation Agenda
• What is IP geolocation?• Why IP geolocation?• IP geolocation classification and attacks.• Paper contribution.• Paper weakness.• Paper improvement.• Questions and answers.
37
Question and Answer
38
Thank You
39