SAVNET's Incentive Consideration for Defence Against Reflection Attacks

Nowadays, reflection attack has become one of the most common attacks based on source address spoofing. However, the victim network in a reflection attack may not receive the spoofing request. If an intermediate network deploys SAV to protect itself against source address spoofing attacks, such as single-packet attacks, flood-based DoS, and etc , it can help prevent the reflection attack when receiving the spoofing request. Therefore, to mitigate reflection attacks, customer or user networks are increasingly asking their upstreaming providers to deploy SAV as close to the source as possible and to protect their source addresses from being forged. Considering the security requirements of customer or user networks, network operators are willing to improve their competitiveness by implementing SAV, so they will attract more users and gain more profits. More recently, RFC8704 or BCP84 proposes the Enhanced Feasible-Path Unicast Reverse Path Forwarding (EFP-uRPF) and recommends operators to adopt EFP-uRPF at customer interfaces in most inter-domain scenarios. Different from BCP38, EFP-uRPF provides direct incentive to some extent, as it aims to prevent spoofed packets from entering the deployed network. However, EFP-uRPF is essentially performing ingress filtering at a higher aggregation point (i.e., the top AS of a customer cone) and does not provide protection against spoofing traffic from provider and peer interfaces. Moreover, the victim network will not gain additional protection against reflection attack even if it deploys EFP-uRPF. Therefore, EFP-uRPF cannot perfectly meet the above security requirements of customer or user networks. In the following, we use reflection attack as an example to measure the incentive that EFP-uRPF or SAVNET can provide to the victim network. We simplify the participants in a reflection attack into three roles (attacker network, reflector network, and victim network) and enumerate three attack scenarios by changing the relative positions of the three roles. In each scenario, we suppose the victim network always deploys SAV mechanism (EFP-uRPF or SAVNET), because only the victim can get benefit from the SAV mechanism. Then, for any deployment case of the other two networks (i.e., attacker network and reflector network), we check whether the reflection attack can be prevented. If so, the victim network has strong motivation to deploy SAV; if not, the victim network has weak motivation to deploy SAV. Since there is no specific SAVNET solution yet, we assume SAVNET can meet the "Accuracy SAV" requirement defined in and , i.e, learning real incoming interfaces for source prefixes based on control-plane information sent from the owner of the source prefixes. In the preliminary idea of SAVNET, each deployed network notifies the valid incoming interfaces for its source prefixes to other deployed networks.

Figure 1 shows the first reflection attack scenario where the reflector network is located between the attacker network and the victim network. The attacker spoofs the source address of the victim and sends a forged request to the reflector. After receiving the request from attacker, the reflector responds to the victim.

Relationship between AS1 and AS2 Relationship between AS2 and AS3 EFP-uRPF algorithm A EFP-uRPF algorithm B SAVNET P2C P2C FAIL FAIL FAIL P2P P2C FAIL FAIL FAIL C2P C2P FAIL FAIL FAIL C2P P2P FAIL FAIL FAIL C2P P2C FAIL FAIL FAIL Table 1 shows the effectiveness of EFP-uRPF and SAVNET against the reflection attack under different relationships among AS1, AS2, and AS3. We omit combinations of relationships that violate valley-free principle. If only the victim network deploys SAV, both EFP-uRPF and SAVNET fail to prevent the reflection attack in scenario 1, because the victim network does not receive the forged request at all.

Relationship between AS1 and AS2 Relationship between AS2 and AS3 EFP-uRPF algorithm A EFP-uRPF algorithm B SAVNET P2C P2C FAIL FAIL WORK P2P P2C FAIL FAIL WORK C2P C2P FAIL FAIL WORK C2P P2P FAIL FAIL WORK C2P P2C FAIL FAIL WORK Table 2 shows that SAVNET works best when victim network and attacker network deploy SAV. If AS1 and AS3 deploy SAVNET, AS1 learns that traffic with victim's source address must come from outside the AS, not inside the AS. Therefore, SAVNET in AS1 can successfully detect the forged request and prevent the reflection attack. However, since EFP-uRPF in AS1 does not verify outgoing traffic, EFP-uRPF fails in this deployment case.

Relationship between AS1 and AS2 Relationship between AS2 and AS3 EFP-uRPF algorithm A EFP-uRPF algorithm B SAVNET P2C P2C FAIL FAIL WORK P2P P2C FAIL FAIL WORK C2P C2P WORK WORK WORK C2P P2P WORK WORK WORK C2P P2C WORK FAIL WORK As shown in Table 3, SAVNET works best when victim network and reflector network deploy SAV. If AS2 and AS3 deploy SAVNET, AS2 learns that traffic with victim's source address must come from AS3, so it will block the forged request from AS1. If AS2 and AS3 deploy EFP-uRPF, since EFP-uRPF only work for traffic from customer interfaces, EFP-uRPF algorithm A and algorithm B both fail when AS1 is the provider/peer of AS2. EFP-uRPF algorithm A works well when AS1 is the customer of AS2, but EFP-uRPF algorithm B still fails when AS1 and AS3 are both in the customer cone of AS2, because EFP-uRPF algorithm B cannot identify source address spoofing between ASes in customer cone.

Figure 2 shows the second reflection attack scenario. In scenario 2, the victim network is located between the attack network and the reflector network. When attacker sends a forged request to the reflector, the request first arrives at the victim network and then be forwarded to the reflector network. Subsequently, the reflector responds to the victim.

Relationship between AS1 and AS3 Relationship between AS3 and AS2 EFP-uRPF algorithm A EFP-uRPF algorithm B SAVNET P2C P2C FAIL FAIL WORK P2P P2C FAIL FAIL WORK C2P C2P WORK WORK WORK C2P P2P WORK WORK WORK C2P P2C WORK WORK WORK Table 5 shows the effectiveness of EFP-uRPF and SAVNET when only AS3 in scenario 2 deploys SAV. If AS3 deploys SAVNET, it can reject the forged request when it receives the forged request. If AS3 deploys EFP-uRPF, it only works when AS1 is the customer of AS3 because EFP-uRPF only implements SAV filtering at customer interfaces. We also compare EFP-uRPF and SAVNET in the following three deployment cases. We find that if the SAV mechanism is EFP-uRPF algorithm A or EFP-uRPF algorithm B, only the victim network in scenario 2 has the possibility to reject the forged request by implementing SAV. Even if attacker network or reflector network also deploys EFP-uRPF, it does not provide additional assistance to victim network. Therefore, on the basis that the victim network has deployed SAV, SAVNET always works best in different deployment cases.

Figure 3 shows the third reflection attack scenario. The attacker network is located between the victim network and the reflector network. Attacker spoofs victim's source address in the request sent to reflector. Reflector receives the request from the attacker network and sends a response to the victim network via the attacker network. Below we make the incentive comparison between EFP-uRPF and SAVNET in scenario 3. By varying SAV deployment status of attacker network and reflector network, we find all SAV mechanisms fail in preventing the reflection attack in this scenario. For victim network, it does not receive the forged request. For attacker network and reflector network, SAV in their networks cannot identify this spoofing because the forged source address (i.e., victim's source address) shares the same valid incoming interface with the actual one (i.e., attacker's source address).

Relationship between AS3 and AS1 Relationship between AS1 and AS2 EFP-uRPF algorithm A EFP-uRPF algorithm B SAVNET P2C P2C FAIL FAIL FAIL P2P P2C FAIL FAIL FAIL C2P C2P FAIL FAIL FAIL C2P P2P FAIL FAIL FAIL C2P P2C FAIL FAIL FAIL