• passive measurements
• IP spoofing
• experiments
• data analysis
• darknet
• active probing
• active measurements
• source IP address
• validation

The Internet is a world-wide computer network using the standard Internet Protocol (IP). Every Internet host has an address (IP address), two hosts (A and B) need to know each other IP address to be able to communicate. Because IPv4 does not provide a validation mechanism for source IP addresses, B cannot be sure about the truthfulness of such address. In fact, malicious hosts can forge the source IP address. This action is called IP spoofing.
In this thesis, I perform a preliminary exploratory work on heuristics for source IP address validation based on the IPID field of the IP header. First, I analyze IPID behaviors of different operating systems with with respect to different types of IP protocols (ICMP, TCP, and UDP). Then I present a novel source IP address validation heuristic based on active probing, which borrows ideas from IP alias resolution techniques used to identify multiple interfaces (each with a different IP address assigned) of a router.
To test this heuristic, I developed a software tool to probe hosts with different methods and detect monotonic incrementing IPID time series. I set up my experiment to use packets (triggers) received by a large darknet operated at UC San Diego. Then, I analyze the gathered data to study the characteristics of triggers and replies. This exploratory experimentation aims to find a correlation between a trigger and the probes’ replies by exploiting monotonic incrementing IPID shared counters. Moreover, I present a thresholding approach to classify triggers as “not spoofed” or “unknown”.
Finally, I discuss my conclusions on presented data, validation results, and future work about how to improve the validation technique and open questions about my current analysis.