Dude, where’s that IP? Circumventing measurement-based IP geolocation

Dude, where’s that IP? Circumventing measurement-based IP geolocation

Paper Presentation CAP6135: Malware and Software Vulnerability

Analysis – Spring 2013Omar Nakhila

Citation and acknowledgement

• Gill, Phillipa, Yashar Ganjali, and Bernard Wong. "Dude, Where’s That IP? Circumventing Measurement-based IP Geolocation." USENIX Security Symposium 19th , Washington DC, August 11-13, 2010.

• http://en.wikipedia.org/wiki/Speed_of_electricity

2

Presentation Agenda

• What is IP geolocation?• Why IP geolocation?• IP geolocation classification and

attacks.• Paper contribution.• Paper weakness.• Paper improvement.• Questions and answers.3

What is IP geolocation?• IP geolocation aims to solve the problem of

determining the geographic location of a given IP address.

4

Presentation Agenda



Why IP geolocation?• Online advertisers and search engines

advertise their content based on the client’s location.

6

Why IP geolocation? Cont.• Online content providers such as :– Hulu.– Youtube– etc.limit their content distribution to specific geographic

regions.

7

Why IP geolocation? Cont.• Law enforcement.

9

Presentation Agenda



IP geolocation classification

• Passive IP geolocation.– Ueses geolocation databases such as :• MaxMind.• Quova.

• Active IP geolocation.– Delay-based.• Constraint-Based Geolocation (CBG)

– Topology-aware.• Octant.

– Other.

11

Delay-based IP geolocation

• Constraint-Based Geolocation (CBG)

Landmark A

Landmark B

Landmark C

User IP Location (Target)

PingPing

D_AB=x1

D_AC=x2

Ping

y3

x3

Best Line Function

12

Delay-based IP geolocation

• Constraint-Based Geolocation (CBG)

Landmark A

Landmark B

Landmark C


x313

Delay-based IP geolocation attack

• Constraint-Based Geolocation (CBG)– Speed of light attack.• Delay time = Distance / Speed• Speed of electricity in an unshielded copper conductor

ranges 95 to 97% that of the speed of light, while in a typical coaxial cable it is about 66% of the speed of light.

– Best line attack.• The attacker has access to the best line function in

landmarks!x3

y3

14

Delay-based IP geolocation attack.

Landmark C Landmark A

Landmark B

User IP Location (Real

Location)

User IP Location (Fake

Location)

Ping

x3

y3

ϴ error

ϵ error

User IP Location (Desired Fake Location)

15

Delay-based IP geolocation attack evaluation

16

Delay-based geolocation attack evaluation

17

Delay-based IP geolocation attack results

SOL Best line function

18

Delay-based IP geolocation attack results

19

Limiting delay-based IP geolocation attack

20

Topology-aware IP geolocation

• Octant

Landmark A

Landmark B

Landmark C


Using TracertAnd ping

21


• Octant single gateway

Landmark A

Landmark B

Landmark C



Delay of the last route

22


• Octant single gateway based attack

Landmark A

Landmark B

Landmark C



23

• Octant multi-gateway based.


Landmark A

Landmark B

Landmark C



24




• Octant multi-gateway based attack.

Topology-aware IP geolocation attack.

Landmark A

Landmark B

Landmark C



User IP Location (Fake

Location)

25

Topology-aware IP geolocation attack.

• Naming attack, can effect on both single and mutli-gateway topology-aware geolocation.

• The attack based on undns tool.• Each router will have a DNS domain name.• undns tool will map router DNS domain name to a

city. • This naming attack requires the attacker is capable

of crafting a domain name that can deceive the undns tool.

26


• Octant naming attack.

Landmark A

Landmark B

Landmark C



Domain name belongs to Nevada

Fake Router Location

27

Topology-aware IP geolocation attack simulation.

GatewaysFake Router

Fake location

• 4 gateway routers (Black Colored) • 11 forged locations (T ) ( White Colored) • and 14 non-existent internal routers (F) (Red Colored)• 80 Targets (50 North America and 30 European)

28

Topology-aware geolocation attack results

29

Topology-aware geolocation attack results

30

Presentation Agenda

• What is IP geolocation?• Why IP geolocation?• IP geolocation classification and attacks.• Paper contribution.• Paper weakness.• Paper improvement.• Questions and answers.

31

Paper Contribution• The paper surveyed that the current IP

geolocation algorithms such as (CBG and Octant) accuracies of 35-194 km, making them suitable for geolocation within a country.

• Also, the paper illustrated how the above IP geolocation algorithm can be vulnerable.

• Then, the paper proposed that a delay based attack can be detected by setting a certain threshold to the size of the localization region.

32

Presentation Agenda


33

Paper Weakness• The paper didn’t explain the complexity of

gaining access to the best line function.• The paper also didn’t explain the complexity to

manipulate undns tool.• Lack of an efficient detection method to catch

undns topology-aware IP geolocation attack.• The scientific reasoning for PlantLab landmarks

distribution with the relation to the IP geolocation was not clear.

• Using ping and trace-route to measure the delay time and route information is not recommended since administrator tend to drop theses types of packets.34

Presentation Agenda


35

Paper Improvement

• The impact of Landmarks distribution on both attacks.

• Study the effect of using a reliable protocols to limit both attacks.

36

Presentation Agenda


37

Question and Answer

38

Thank You

39

Dude, where’s that IP? Circumventing measurement-based IP geolocation

Documents

Transcript of Dude, where’s that IP? Circumventing measurement-based IP geolocation