State of IP Spoofing

State of IP Spoofing

[news] [results] [methodology] [download] [feedback] [MailList] [FAQ]

Summary:

Current as of:
Total Tests: 12832
Unique Client Sessions: 8653

* Spoofable and unspoofable counts represent actual client reports while indicated estimates are extrapolated from the number of globally routeable netblocks, addresses and ASes respectively. Individual clients are counted singly regardless of the number of tests performed.

Source address filtering:

= Source address filtering in place
Private	Unallocated	Valid	Client Count
			0

Each test run attempts to send IP packets with different spoofed addresses in order to infer provider filtering policies. Private sources are those defined in RFC1918: e.g. 10/8, 172.16/12, 192.168/16 prefixes. Unallocated sources are IANA Reserved Addresses: e.g. 1/8, 89/8, 90/8 prefixes. Valid sources addresses are those present in BGP routing tables

Each test run spoofs addresses from adjacent netblocks, beginning with a direct neighbor (IP address + 1) all the way to an adjacent /8. The following figure displays the granularity of source address filtering (typically employed by service providers) along paths tested in our study. If the filtering is occurring on a /8 boundary for instance, a client within that network is able to spoof 16,777,215 other addresses.

Using the tracefilter mechanism, we measure filtering depth; where along the tested path (from each client to the server), filtering is employed. Depth represents the number of IP routers through which the client can spoof before being filtered.

Geographic Distribution:

We assess the geographic distribution of clients in our dataset both to measure the extent of our testing coverage as well as to determine if any region of the world is more susceptible to spoofing. We use CAIDA's plot-latlong package to generate geographical maps.


Location of client tests	Location of spoofable networks

Failed Spoofs:

Predictably, some percentage of machines will not be able to spoof IP packets regardless of filtering policies. Some reasons are described in our FAQ. We exclude failed clients from our summary results but characterize some of the underlying reasons for failures that we are able to detect below:

Total Completely Failed Spoof Attempts:
Failed as a result of (non-Windows) Operating System block:
Failed as a result of being Behind a NAT:
Failed as a result of Windows XP SP2: [note]

About:

This report, provided by MIT ANA, intends to provide a current aggregate view of ingress and egress filtering and IP Spoofing on the Internet. While the data in this report is the most comprehensive of its type we are aware of, it is still an ongoing, incomplete project. The data here is representative only of the netblocks, addresses and autonomous systems (ASes) of clients from which we have received reports. The more client reports we receive the better - they increase our accuracy and coverage.

Download and run our testing software to automatically contribute a report to our database. Note that this involves generating a small number of IP packets with spoofed source addresses from your box. This has yet to trip any alarms or cause problems for our contributors, but you run the software at your own risk. The software generates a customized report displaying the filtering policies of your Internet service provider(s).

Feedback, comments and bug fixes welcome directly or on the Spoofer Mailing List. Contact Rob Beverly for more information. This page is regenerated six times daily. Last generated .