University of Central FloridaCAP 6135: Malware and Software Vulnerability
Spring 2012
Paper Presentation
Dude, where’s that IP? Circumventing measurement-based IP geolocation
Phillipa Gill, Yashar Ganjali, Bernard Wong, and David Lie
Presenter
Ahmad Alzahrani
Information about the Paper:
Authors:Phillipa Gill and Yashar Ganjali Dept. of Computer Science, University of TorontoDavid Lie Dept. of Electrical and Computer Engineering, University of TorontoBernard Wong Dept. of Computer Science, Cornell University
Presented at the 19th USENIX Security Symposium, on August 12, 2010 in San Jose, CA during the Internet Security session.
Introduction
Applications benefit from IP Geolocation
–Online advertising –Search engines–Restrict access to online content
• Multimedia
–Fraud Preventions–Geolocation to locate VMs hosted by cloud provider
Motivation
Who has incentive to circumvent IP geolocation?
Web clients:– Gain access to content– Online payment fraud
Cloud service– Location-based SLAs - cloud providers.
Paper Contributions
• Evaluation of two attacks.
• First to study measurement-based geolocation of an adversary
• Studied two models of adversarial geolocation targets (end host & WAN)
Measurement-based geolocation
Delay-based geolocation (e.g. Constraint-based geolocation Gueye et al. )
Ping!Ping!Ping!
courtesy Phillipa
Measurement-based geolocation
Delay-based geolocation (e.g. Constraint-based geolocation Gueye et al. )
Ping!
Ping!
Ping!
Ping!
courtesy Phillipa
Topology-aware geolocation
• Assume no direct path to target.
• Locate also hops on the way.
• Takes into account circuitous network paths.
courtesy Phillipa
Ping!Ping!
Measurement-based geolocation
• Delay-based:– Constraint-based geolocation (CBG) [Gueye et al]
– Accuracy: ~ 78-182 km
• Topology-aware:– Octant [Wong et al.]
– Delay between hops on path is considered
– Locate nodes along the path
– Median accuracy: ~ 35-40 km
Two Attacks have been studied:(1) Delay-adding attack
Increase delay by time to travel the difference
Challenge: how to map distance to delay?
-
- Access to the map function.
ci
322
L3
L2
L11g
2gForgedlocation
Two Attacks have been studied:(2) Hop-adding attack
Multiple network entry points
Internal router (each connected to 3) Forged locationcourtesy Phillipa
Evaluation
– Are the attacks effective?
– What is the accuracy achieved by the attacker to mislead geolocation.
– Can the attacks be detected?
Experiment1 (Delay-adding Attack)
– Collected measurements inputs using 50 PlanetLab nodes.
– Each node of the 50 takes turn as target.
– Each target moved to 50 forged locations.
Hop-Adding Attack - Simulation Setup
-Targets : 80 nodes (50 in US and 30 in EU)-Forget Locations : 11 inside above WAN
(4 Gateways, 15 Internal Routers)
RecapSimpleAttacker
SophisticatedAttacker
Delay-basedAttack
1 1
Topology-awareAttack
1 2
1 – Detectable using region size, accuracy depends on distance to forged location.2 – High Accuracy and difficult to detect.
Conclusion
• Measurement-Based Geolocation algorithms are susceptible to delay-based and topology measurements.
• Two models of adversaries have been considered.
• Two attacks have been developed and evaluated.
• The more advanced and accurate algorithm is more susceptible to tampering
Possible Extensions
• Develop secure measurement protocol to reduce ability of attackers to change measurements .
• Provide real-world results of the proposed attacks to study the effect of network congestion state on accuracy.