Rumors Stop with the Wise: Unveiling Inbound SAV Deployment Through Spoofed ICMP Messages
Shuaicong Yu,Shuying Zhuang,Tao Yu,Changqing An,Jilong Wang
DOI: https://doi.org/10.1145/3646547.3688417
2024-01-01
Abstract:In the era of increasing network-based threats, particularly IP spoofing, Source Address Validation (SAV) is paramount for network security. The effective deployment of Inbound Source Address Validation (ISAV) is crucial yet often inadequate, posing significant risks to Internet infrastructure. This study presents ICMP_Sonar, a measurement system that deploys "rumors" -carefully crafted spoofed ICMP packets-to probe the network's defenses, revealing the "wise" networks with their robust ISAV implementations. ICMP_Sonar introduces two novel approaches that exploit the characteristics of ICMP unreachable messages and ICMP fragment needed messages, and exhibits the advantages of high coverage, fine granularity, low error rates, and the ability to measure in both IPv4 and IPv6. We also evaluate the applicability and security risks of ICMP error messages. Through large-scale measurements, ICMP_Sonar successfully covers 86M IPv4 hosts (0.8M IPv6 hosts), 3.5M IPv4 /24 subnets (24K IPv6 /40 subnets), and 59K IPv4 ASes (8.3K IPv6 ASes), surpassing the state-of-the-art dual-stack method's coverage by 16.2 (51.6), 2.9 (2.34), and 1.7 (1.7) times, respectively. The broad coverage across multiple granularities enables us to capture a more comprehensive and fine-grained view of ISAV deployment. Measurements show that while the percentage of ASes with no ISAV deployment is lower than previously identified, the percentage of ASes with partial ISAV deployment is much higher, indicating significant gaps in overall security. The analysis also reveals that ISAV deployment practices vary across different networks and between IPv4 and IPv6.