The Closed Resolver Project

IP address spoofing has been a well-known security issue for a long time. It enables potential attackers to change their genuine IP addresses and become untraceable. The most efficient way to fight this problem is to perform packet filtering at the network edge, also known as Source Address Validation (SAV). We evaluate the SAV deployment of inbound traffic by sending DNS A requests to local resolvers on behalf of other hosts of tested networks. Not only we check filtering policies, but also reveal closed resolvers, not seen from outside otherwise.

Are you vulnerable?

You appear to be connecting from IP address 52.54.53.222
According to our latest measurements, we cannot determine if your network is vulnerable to inbound spoofing.

Results

We calculate the proportion of /24 IPv4 networks confirmed to be vulnerable to inbound spoofing vs. all the networks per country. Note, that this is the lower bound estimate of the problem. Check the map below:

Paper

We describe our findings in greater detail in our paper "Don't Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic". You can check it here.

Abstract: This paper concerns the problem of the absence of ingress filtering at the network edge, one of the main causes of important network security issues. Numerous network operators do not deploy the best current practice - Source Address Validation (SAV) that aims at mitigating these issues. We perform the first Internet-wide active measurement study to enumerate networks not filtering incoming packets by their source address. The measurement method consists of identifying closed and open DNS resolvers handling requests coming from the outside of the network with the source address from the range assigned inside the network under the test. The proposed method provides the most complete picture of the inbound SAV deployment state at network providers. We reveal that 32 673 Autonomous Systems (ASes) and 197 641 Border Gateway Protocol (BGP) prefixes are vulnerable to spoofing of inbound traffic. Finally, using the data from the Spoofer project and performing an open resolver scan, we compare the filtering policies in both directions.

To cite the paper:

		
	@inproceedings{korczynski2020inbound_sav,
        	title = {{Don't Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic}},
        	author = {Korczy\'{n}ski, Maciej and Nosyk, Yevheniya and Lone, Qasim and Skwarek, Marcin and Jonglez, Baptiste and Duda, Andrzej},
        	booktitle = {Proceedings of the 21st International Conference on Passive and Active Measurement},
  		series = {Lecture Notes in Computer Science},
		publisher = {Springer},
        	pages = {107--121},
        	year = {2020},
        	doi = {10.1007/978-3-030-44081-7\_7}
    	}
                
            

News

Any questions? Contact us!

If you want to find out more about our project or wish to exclude your network from our scanning activities, please write to us: maciej [dot] korczynski [a_t] univ-grenoble-alpes [dot] fr and/or yevheniya [dot] nosyk [a_t] etu [dot] univ-grenoble-alpes [dot] fr