SAVing the Internet: Measuring the adoption of Source Address Validation (SAV) by network providers

IP spoofing is the act of forging source IP addresses assigned to a host machine. Spoofing provides users the ability to hide their identity and impersonate another machine. Malicious users use spoofing to invoke a variety of attacks. Examples are Distributed Denial of Service (DDoS) attacks, policy evasion and a range of application-level attacks. Despite source IP address spoofing being a known vulnerability for at least 25 years, and despite many efforts to shed light on the problem, spoofing remains a popular attack method for redirection, amplification and anonymity. Defeating these attacks requires operators to ensure that their networks filter packets with spoofed source IP addresses. This is a Best Current Practice (BCP), known as Source Address Validation (SAV). Yet, widespread SAV adoption is hindered by a misalignment of incentives: networks that adopt SAV incur the cost of deployment, while the security benefits diffuse to all other networks. The challenges posed by SAV adoption exemplify the failure of traditional governance models to provide solutions in the Internet ecosystem. Policy interventions usually require transparency in measurements to quantify and assess the vulnerability landscape. However, measuring SAV requires a vantage point inside the network or in the upstream provider of the network. Once a packet with a spoofed source address leaves the upstream network provider, it is almost impossible to ascertain its origin...