SMap: Internet-wide Scanning for Spoofing
Tianxiang Dai, Haya Shulman
TL;DR
This paper introduces SMap, the Spoofing Mapper, the first Internet-wide scanner designed to measure ingress filtering across the vast majority of ASes. By combining domain-based and IPv4 service discovery with three active probing techniques (IPID, PMTUD, DNS lookup), SMap achieves wide coverage without requiring network cooperation, enabling longitudinal tracking over two years. The study finds that a large share of networks are spoofable, with 80%+ of tested ASes not enforcing ingress filtering, and it demonstrates that PMTUD offers the strongest applicability while DNS-based methods provide broad reach for resolvers. The authors release a public data service and code, facilitating reproducibility and ongoing monitoring of spoofing defenses across the Internet, and they provide a comparative analysis showing SMap’s superior coverage relative to prior Spy/agent-based efforts.
Abstract
To protect themselves from attacks, networks need to enforce ingress filtering, i.e., block inbound packets sent from spoofed IP addresses. Although this is a widely known best practice, it is still not clear how many networks do not block spoofed packets. Inferring the extent of spoofability at Internet scale is challenging and despite multiple efforts the existing studies currently cover only a limited set of the Internet networks: they can either measure networks that operate servers with faulty network-stack implementations, or require installation of the measurement software on volunteer networks, or assume specific properties, like traceroute loops. Improving coverage of the spoofing measurements is critical. In this work we present the Spoofing Mapper (SMap): the first scanner for performing Internet-wide studies of ingress filtering. SMap evaluates spoofability of networks utilising standard protocols that are present in almost any Internet network. We applied SMap for Internet-wide measurements of ingress filtering: we found that 69.8% of all the Autonomous Systems (ASes) in the Internet do not filter spoofed packets and found 46880 new spoofable ASes which were not identified in prior studies. Our measurements with SMap provide the first comprehensive view of ingress filtering deployment in the Internet as well as remediation in filtering spoofed packets over a period of two years until May 2021. We set up a web service at https://smap.cad.sit.fraunhofer.de to perform continual Internet-wide data collection with SMap and display statistics from spoofing evaluation. We make our datasets as well as the SMap (implementation and the source code) publicly available to enable researchers to reproduce and validate our results, as well as to continually keep track of changes in filtering spoofed packets in the Internet.