Illegitimate Source IPs At Internet Exchange Points

Florian Streibelt

Playlists: 'denog8' videos starting here / audio / related events

This presentation features a measurement study we conducted at two large european IXPs. We studied sampled flow data and evaluated the corresponding metadata, that is source IP address and IXP member, to analyze traffic that in theory should not be present. Here, we consider traffic where we find the source IP to be illegitimate within the scope of the public Internet. This includes intentionally spoofed traffic, internal traffic leaked by mistake (e.g., RFC1918), and traffic resulting from misconfiguration. To accomplish this, we use public BGP dumps from RIPE and Routeviews to assess which ASes announce which prefixes and determine valid transit ASes for each prefix present in the global routing table. Our analysis shows that a small set of IXP members without proper ingress filtering can have global impact and are responsible for a substantial portion of this traffic. Surprisingly, large networks generally perform better when compared to smaller ones, although typically implementing proper filtering seems easier for smaller networks. While our methodology cannot guarantee a completely accurate categorization of traffic, it can easily be deployed in a local network to analyze traffic received from peers and hint towards cases where ingress filtering might not be configured correctly.