Shuai Wang (Zhongguancun Laboratory), Ruifeng Li (Zhongguancun Laboratory), Li Chen (Zhongguancun Laboratory), Dan Li (Tsinghua University), Lancheng Qin (Zhongguancun Laboratory), Qian Cao (Zhongguancun Laboratory)
Source IP address spoofing facilitates various malicious attacks, and Outbound Source Address Validation (OSAV) remains the best current practice for preventing spoofed packets from exiting a network. Accurately measuring OSAV deployment is essential for investigating the Internet’s vulnerability to IP spoofing. However, such measurements typically require sending spoofed packets from within the tested network, necessitating cooperation from network operators.
This paper introduces OSAVRoute, the first non-cooperative system capable of capturing fine-grained characteristics of OSAV deployment. Unlike existing non-cooperative methods that can only identify the absence of OSAV, OSAVRoute identifies both the presence and absence of OSAV, and further measure its blocking granularity and blocking depth, achieving capabilities previously limited to cooperative methods. OSAVRoute accomplishes this by explicitly tracing the forwarding paths of spoofed packets, enabling identification of their generation and propagation behavior. With an accuracy of 99.4% and coverage spanning 3.1× more ASes than CAIDA Spoofer, OSAVRoute reveals that 84.2% of the tested ASes do not deploy OSAV, particularly among ISP networks. Among networks that implement OSAV, 95.5% block spoofed packets within the first two IP hops but exhibit various blocking granularities, with /22 to /24 being the most common. Additionally, we reveal, for the first time, a positive correlation between MANRS participation and OSAV deployment.