university of central florida cap 6135: malware and software vulnerability spring 2012
DESCRIPTION
University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012. Paper Presentation Dude, where’s that IP? Circumventing measurement-based IP geolocation Phillipa Gill, Yashar Ganjali, Bernard Wong, and David Lie. Presenter Ahmad Alzahrani. Information about the Paper:. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/1.jpg)
University of Central FloridaCAP 6135: Malware and Software Vulnerability
Spring 2012
Paper Presentation
Dude, where’s that IP? Circumventing measurement-based IP geolocation
Phillipa Gill, Yashar Ganjali, Bernard Wong, and David Lie
Presenter
Ahmad Alzahrani
![Page 2: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/2.jpg)
Information about the Paper:
Authors:Phillipa Gill and Yashar Ganjali Dept. of Computer Science, University of TorontoDavid Lie Dept. of Electrical and Computer Engineering, University of TorontoBernard Wong Dept. of Computer Science, Cornell University
Presented at the 19th USENIX Security Symposium, on August 12, 2010 in San Jose, CA during the Internet Security session.
![Page 3: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/3.jpg)
Background
• What is IP Geolocation?
![Page 4: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/4.jpg)
Introduction
Applications benefit from IP Geolocation
–Online advertising –Search engines–Restrict access to online content
• Multimedia
–Fraud Preventions–Geolocation to locate VMs hosted by cloud provider
![Page 5: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/5.jpg)
![Page 6: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/6.jpg)
Motivation
Who has incentive to circumvent IP geolocation?
Web clients:– Gain access to content– Online payment fraud
Cloud service– Location-based SLAs - cloud providers.
![Page 7: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/7.jpg)
Paper Contributions
• Evaluation of two attacks.
• First to study measurement-based geolocation of an adversary
• Studied two models of adversarial geolocation targets (end host & WAN)
![Page 8: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/8.jpg)
Background
![Page 9: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/9.jpg)
Measurement-based geolocation
Delay-based geolocation (e.g. Constraint-based geolocation Gueye et al. )
Ping!Ping!Ping!
courtesy Phillipa
![Page 10: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/10.jpg)
Measurement-based geolocation
Delay-based geolocation (e.g. Constraint-based geolocation Gueye et al. )
Ping!
Ping!
Ping!
Ping!
courtesy Phillipa
![Page 11: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/11.jpg)
![Page 12: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/12.jpg)
12
courtesy Phillipa
![Page 13: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/13.jpg)
Topology-aware geolocation
• Assume no direct path to target.
• Locate also hops on the way.
• Takes into account circuitous network paths.
courtesy Phillipa
Ping!Ping!
![Page 14: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/14.jpg)
Measurement-based geolocation
• Delay-based:– Constraint-based geolocation (CBG) [Gueye et al]
– Accuracy: ~ 78-182 km
• Topology-aware:– Octant [Wong et al.]
– Delay between hops on path is considered
– Locate nodes along the path
– Median accuracy: ~ 35-40 km
![Page 15: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/15.jpg)
![Page 16: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/16.jpg)
Two Attacks have been studied:(1) Delay-adding attack
Increase delay by time to travel the difference
Challenge: how to map distance to delay?
-
- Access to the map function.
ci
322
L3
L2
L11g
2gForgedlocation
![Page 17: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/17.jpg)
Two Attacks have been studied:(2) Hop-adding attack
Landmark 1
Landmark 2
1dTargetTarget
2d
![Page 18: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/18.jpg)
Two Attacks have been studied:(2) Hop-adding attack
Multiple network entry points
Internal router (each connected to 3) Forged locationcourtesy Phillipa
![Page 19: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/19.jpg)
Evaluation
– Are the attacks effective?
– What is the accuracy achieved by the attacker to mislead geolocation.
– Can the attacks be detected?
Experiment1 (Delay-adding Attack)
– Collected measurements inputs using 50 PlanetLab nodes.
– Each node of the 50 takes turn as target.
– Each target moved to 50 forged locations.
![Page 20: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/20.jpg)
Delay-adding Attack - Simulation Setup
![Page 21: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/21.jpg)
Delay-adding attack (Detectability?)
![Page 22: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/22.jpg)
Delay-adding attack (How accurate?)
22
NYC-SFO
700 M/KM
![Page 23: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/23.jpg)
Hop-Adding Attack - Simulation Setup
-Targets : 80 nodes (50 in US and 30 in EU)-Forget Locations : 11 inside above WAN
(4 Gateways, 15 Internal Routers)
![Page 24: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/24.jpg)
Hop-adding attack (Detectability?)
![Page 25: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/25.jpg)
Best-case(delay adding attack)
Hop adding attack
25
Hop-adding attack (How accurate?)
![Page 26: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/26.jpg)
RecapSimpleAttacker
SophisticatedAttacker
Delay-basedAttack
1 1
Topology-awareAttack
1 2
1 – Detectable using region size, accuracy depends on distance to forged location.2 – High Accuracy and difficult to detect.
![Page 27: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/27.jpg)
Conclusion
• Measurement-Based Geolocation algorithms are susceptible to delay-based and topology measurements.
• Two models of adversaries have been considered.
• Two attacks have been developed and evaluated.
• The more advanced and accurate algorithm is more susceptible to tampering
![Page 28: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/28.jpg)
Possible Extensions
• Develop secure measurement protocol to reduce ability of attackers to change measurements .
• Provide real-world results of the proposed attacks to study the effect of network congestion state on accuracy.
![Page 29: University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5681464a550346895db35ce6/html5/thumbnails/29.jpg)
Qs & As