New Internet Research Shows 30,000 Spoofing Attacks Per Day

One CAIDA study concluded that there were almost 30,000 spoofing attacks each day – and a total of 21 million attacks on about 6.3 million unique internet protocol addresses between March 1, 2015 and Feb. 28, 2017 alone.

By Marty Graham, Contributor

The idea that a ‘secure’ network can be tricked into participating in an attack that shuts another network down – without its network administrators knowing about it — isn’t just the stuff of nightmares, a San Diego-based group of elite internet researchers found.

They know because they’re perfecting a tool called Spoofer that lets them measure how easy it is for networks to be duped into taking part in those attacks, and how vulnerable the network is to withstand such a bombardment.

What the researchers at the Center of Applied Internet Data Analysis (CAIDA) have found so far is that many networks – both those that control their direct connection to the internet and those domains that pay larger ISPs to provide that connection — are under constant attack.

One CAIDA study concluded that there were almost 30,000 spoofing attacks each day – and a total of 21 million attacks on about 6.3 million unique internet protocol addresses between March 1, 2015 and Feb. 28, 2017 alone.

How Spoofing Works

Spoofing takes advantage of an underlying way the internet works, where information is sent between users in data packets that contain both the sender and the destination internet addresses. In a good world, those identity data packets are the beginning of a series of communications back and forth between networks. Spoofing attacks are based on these simple communications. However, in spoofing, the sender’s address is disguised and has been replaced with the internet address they are targeting for an attack.

The address the destination network sees is not the sender’s true IP address. The ‘return’ address has been spoofed — it has switched identities — so when the destination network sends a response to the sender, it goes to the address the sender provided, the sender’s true target.

If the sender can spoof enough destination addresses to trigger many, many misguided packets to a target, that target will be flooded with packets it didn’t solicit. If enough packets arrive simultaneously from enough spoofed addresses, the attack can overwhelm its victim. The attack is called a Denial of Service attack, where so much data rushes in that the target’s network can’t function, no longer servicing the internet.

That’s what happened to Dyn Inc. two years ago, when a deluge of data triggered from disguised web addresses collapsed 85 leading websites including eBay, Netflix, PayPal, and Sony PlayStation. During the Dyn Inc. attack, its servers were pummeled with up to 1.2 terabits — 1.2 trillion digits — of data per second.

Today, companies dread being swamped by floods of packets spurred by spoofed addresses — and for good reason. Depending on how the IP addresses are configured and which protocols they use, many IP addresses or IoT devices can become part of a bank of attackers. More specifically, IP addresses that use the least amount of filtering for their network’s outgoing signals can be manipulated into attacking someone else’s target victim 24 percent of the time, CAIDA reported.

Although spoof attacks usually begin on one customer site, if the flood of electronic information to the single network is big enough, they can also take down larger network service providers – like Dyn – and with them, other customer sites.

Spoofing is a global issue, though American organizations are key targets. U.S. controlled internet protocol addresses are responsible for 25 to 29 percent of known spoofing attacks. The next highest target-nation is China — where about 10 percent of sites are under attack — followed by Russia, France, the United Kingdom, and Germany.

“Many governments are increasingly interested in cleaning up their act,” said Josh Polterock, CAIDA’s manager of scientific projects. “They’ve started saying if you’re going to operate an autonomous system, you have to implement source address validation.”

Still, in some positive news, companies relying on best practices for stopping outgoing packets with faked IP addresses have all but eliminated that vulnerability, according to Spoofer data.

Simple and Dangerous

Surprisingly, this ham-fisted mode of attack remains prominent on the threat list. It’s not particularly clever — it is little more than a call-and-response where the response is misdirected and magnified — yet, it taps into a vulnerability that some networks have little incentive to fix: making sure the outbound packets have a valid IP address.

“The way to stop this is Source Address Validation, making sure the sender’s packet is accurately addressed,” explained Polterock. But validating addresses for outbound packets is cumbersome and doing so does not directly benefit the network, though it does benefit the rest of the internet.

Right now, there is no public data on how many networks – and which ones – are currently filtering packets they are sending out. That’s Spoofer’s mission.

As of October 2018, the Spoofer software tool has been downloaded about 66,000 times and now runs on more than 6,000 networks. It launches weekly tests and reports what it finds back to the researchers who then analyze the enormous amount of information.

“Some attacks are showoff attacks, but they can also be ransom attacks. It’s not just losing Hulu for a few hours, it can be losing control of the power grid or a large bank’s financial records.”

— Paul Barford, professor of internet studies at the University of Wisconsin

Spoofer sets out to test its host’s network routing, looking for what happens to outgoing packets. The fake source address is one CAIDA selects and monitors, so packets that successfully evade filtering bounce from the destination back to the CAIDA-monitored source. If the packets are blocked, CAIDA finds out about that, too.

“It knows how to send spoofed packets in a vast number of ways, lots of different approaches to try to poke packets through the network,” Polterock explained. “If a network is configured following best current practices, it doesn’t allow spoofed packets to go out.”

Earlier iterations of the software, first designed and run by Massachusetts Institute of Technology grad student Robert Beverly in the 2000s, only tested how outgoing packets were handled. Later, CAIDA researchers added testing incoming packets to provide information that helps networks improve their incoming filtering — and can increase the incentive to investigate spoofs.

“One thing networks are interested in is if you can spoof back into the network, and that’s something we’ve added to the software so it can show not just whether they’re being good citizens to the rest of the networks, it can give them some insight into how well their network is filtering incoming spoofed packets,” Polterock said.

Spoofer software is available for Microsoft, Apple, and Linux systems, and the Department of Homeland Security grant funding the research was just renewed. The funding is intended to upgrade the software, improve reporting, and take the project to more organizations.

CAIDA researchers believe that many of the larger autonomous systems, particularly those in the U.S. , are working toward validating the source addresses of outgoing packets. Still, it’s not a small thing for networks to do. “They are also concerned that they will filter customers’ legitimate traffic,” Polterock explained.

Here for the Long Haul

Despite the crude nature of the attacks that involve tricking an electronic mob to attack, denial of service attacks aren’t going away. “In some ways, denial of service attacks are getting less sophisticated,” Polterock said. “They’re not even bothering to spoof networks of computers when they can use the brute force of millions of internet of things (IoT) devices.”

Paul Barford, a prominent internet studies professor at the University of Wisconsin, said that the attacks are relatively simple to mount and that even people who lack programming skills can find someone to hire to launch such an attack on the dark web.

“Some attacks are showoff attacks, but they can also be ransom attacks,” Barford said. “It’s not just losing Hulu for a few hours, it can be losing control of the power grid or a large bank’s financial records.”

Barford said he believes that spoofing will be with us until we die. What’s more, the defenses against incoming malicious packets are often both onerous and ineffective. “These attacks are enabled by the limitations and omissions of ISPs,” he said. “They rely on vulnerability in the host system that doesn’t affect the host when they’re exploited.”

Since blocking a barrage of packets sent to the intended victim is very difficult, getting the host engaged in preventing the damaging packets to go out, he reiterated, is the only effective protection.

Barford spoke with the weight of his lifelong studies, as someone who has built a career as a university professor and has founded businesses that map the internet. To make a lasting impact, he explained, “You’d have to change the whole internet.”