Phillipa Gill, Yashar Ganijali Dept. of CS University of Toronto Bernard Wong Dept. of CS Cornell...

Dude, Where’s that IPCircumventing measurement-based IP geolocation

Phillipa Gill, Yashar GanijaliDept. of CS University of Toronto

Bernard WongDept. of CS Cornell University

David LieDept. of Electrical and Computer Engineering University of Toronto

USENIX SECURITY SYMPOSIUM, August, 2010

A Presentation at Advanced Defense Lab

Advanced Defense Lab 2

OutlineIntroductionGeolocation BackgroundSecurity ModelDelay-based geolocationTopology-aware geolocationConclusion

3

IntroductionAre current geolocation algorithms accurate enough to

locate an IP within a certain country or jurisdiction?

How can adversaries attack a geolocation system?

How effective are such attacks?

Advanced Defense Lab

5

Geolocation Background


7

Security ModelThe user want to known the geolocation of an IP.The IP owner want to mislead that user to a forged

target.Additive noise introduced by the Internet.Two Assumptions:

The adversary can’t compromise the landmarks or run code on them, but modify the properties of traffic traveling on network links directly connected to a machine under its control.

The network measurements made by landmarks actually reach the target.


9

Delay-based geolocationUsing measurements of end-to-end network delays to

geolocate the target IP.The landmarks (Li) have known geographic locations (Gi)

(Gij,Dij) a distance-to-delay function


10

Delay-based geolocationAttack the CBG systemPlanetLab


http://www.planet-lab.org/

11

Delay-based geolocationAttack the CBG system50 nodes from PlanetLab, take turns (2,500 results).


40 nodes in the US

10 nodes outside the US

12

Delay-based geolocationAttack the CBG systemAn adversary can’t move a target that is not within the

same region as the landmarks into that region.


13

Delay-based geolocationAttack the CBG system


14



15



16



17



19

Topology-aware geolocationAccount all intermediate routers in addition to the target

node.TBG: Towards IP Geolocation Using Delay and Topology

Measurements.Octant: A Comprehensive Framework for the

Geolocalization of Internet Hosts.The target is localized to a feasibility region generated

based on latencies from the last hop(s) before the target, and the centroid of the region is returned.


20

Topology-aware geolocationIf the network paths from the landmarks to the target

converge to a single common gateway router; increasing the end-to-end delays between the landmarks and the target can be detected and mitigated by topology-aware geolocation systems.


21

Topology-aware geolocationIncreasing the delay between each gateway and the

target can only be as effective against topology-based geolocation as increasing end-to-end delays against delay-based geolocation with a reduced set of landmarks.


22

Topology-aware geolocationAttack themER = {er0,er1,…,erm}

Externally visible nodes in an adversary’s network consist of gateway routers.

F = {f0,f1,…,fn}Internal routers, and can be fictitious.

T = {T0,T1,…,Ts}End-points.

G = (V,E)V = F U ER U T, represents routers.E = {e0,e1,…,ek} with weights w(ei), is the set of links connecting

the routers with weights representing network delays.


23

Topology-aware geolocationAttack themAn adversary with control over three or more

geographically distributed gateway routers to its network can move the target to an arbitrary location.Topology-based attacks can assign arbitrary latencies from

the ingress points to the target.Naming attack extension

Topology-based geolocation systems [TBG,Octant] rely on undns tool witch can extract approximate city locations from the domain names of routers.


24

Topology-aware geolocationAttack them Red: 14 non-existent internal routers (F)

White: 11 forged locations (T)Black: 4 External routers (ER)


25

Topology-aware geolocationAttack themUsing the same set of 50 PlanetLab nodes used in

evaluating the delay-adding attack, with an additional 30 European PlanetLab nodes that act only as targets attempting to move into North America.

Each of the 80 PlanetLab nodes takes a turn being the target with the remaining US PlanetLab nodes used as landmarks.Total of 880 attacks.


26

Topology-aware geolocationAttack them


27

Topology-aware geolocationAttack themWithout undns ext. NA target within 680 km, 50% of the time.Moving a target from EU to NA within 929 km.


28

Topology-aware geolocationAttack them


29

Topology-aware geolocationAttack themThe def. of circuitousness (C):


31

ConclusionDeveloped and evaluated two attacks against delay-based

and topology-aware geolocation.

The most surprising findings is that the more advanced and accurate topology-aware geolocation techniques are more susceptible to covert tampering than the simpler leverage delay.

Topology-aware geolocation fares no better against a simple adversary and worse against a sophisticated one.


Phillipa Gill, Yashar Ganijali Dept. of CS University of Toronto Bernard Wong Dept. of CS Cornell...

Documents

Transcript of Phillipa Gill, Yashar Ganijali Dept. of CS University of Toronto Bernard Wong Dept. of CS Cornell...