The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.01 - January-March (2008 vol.5)
pp: 22-36
ABSTRACT
The Distributed Denial of Services (DDoS) attack is a serious threat to the legitimate use of the Internet. Prevention mechanisms are thwarted by the ability of attackers to forge, or spoof, the source addresses in IP packets. By employing IP spoofing, attackers can evade detection and put a substantial burden on the destination network for policing attack packets. In this paper, we propose an inter-domain packet filter (IDPF) architecture that can mitigate the level of IP spoofing on the Internet. A key feature of our scheme is that it does not require global routing information. IDPFs are constructed from the information implicit in BGP route updates and are deployed in network border routers. We establish the conditions under which the IDPF framework works correctly in that it does not discard packets with valid source addresses. Based on extensive simulation studies, we show that even with partial deployment on the Internet, IDPFs can proactively limit the spoofing capability of attackers. In addition, they can help localize the origin of an attack packet to a small number of candidate networks.
INDEX TERMS
Network-level security and protection, Routing Protocols, Infrastructure Protection, IP Spoofing, DDoS, BGP
CITATION
Zhenhai Duan, Xin Yuan, Jaideep Chandrashekar, "Controlling IP Spoofing through Interdomain Packet Filters", IEEE Transactions on Dependable and Secure Computing, vol.5, no. 1, pp. 22-36, January-March 2008, doi:10.1109/TDSC.2007.70224
REFERENCES
[1] ICANN SSAC Advisory SAC008 DNS Distributed Denial of Service (DDoS) Attacks, Mar. 2006.
[2] C. Labovitz, D. McPherson, and F. Jahanian, “Infrastructure Attack Detection and Mitigation,” Tutorial, Proc. ACM SIGCOMM, Aug. 2005.
[3] R. Beverly and S. Bauer, “The Spoofer Project: Inferring the Extent of Internet Source Address Filtering on the Internet,” Proc. First Usenix Steps to Reducing Unwanted Traffic on the Internet Workshop, July 2005.
[4] S. Kandula, D. Katabi, M. Jacob, and A. Berger, “Botz-4-Sale: Surviving Organized DDoS Attacks that Mimic Flash Crowds,” Proc. Second Symp. Networked Systems Design and Implementation, 2005.
[5] D. Moore, C. Shannon, D. Brown, G. Voelker, and S. Savage, “Inferring Internet Denial-of-Service Activity,” ACM Trans. Computer Systems, vol. 24, no. 2, May 2006.
[6] R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson, “Characteristics of Internet Background Radiation,” Proc. ACM Internet Measurement Conf., Oct. 2004.
[7] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Practical Network Support for IP Traceback,” Proc. ACM SIGCOMM Computer Comm. Rev., vol. 30, no. 4, Oct. 2000.
[8] P. Watson, “Slipping in the Window: TCP Reset Attacks,” Proc. Fifth CanSecWest/core04 Conf., 2004.
[9] J. Stewart, “DNS Cache Poisoning—The Next Generation,” technical report, LURHQ, Jan. 2003.
[10] V. Paxson, “An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks,” ACM Computer Comm. Rev., vol. 31, no. 3, July 2001.
[11] ”CERT Advisory ca-1996-21 TCP SYN Flooding and IP Spoofing Attacks,” CERT, http://www.cert.org/advisoriesCA-1996-21.html , 1996.
[12] K. Park and H. Lee, “On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets,” Proc. ACM SIGCOMM, Aug. 2001.
[13] Y. Rekhter and T. Li, “A Border Gateway Protocol 4 (BGP-4),” RFC 1771, Mar. 1995.
[14] L. Gao, “On Inferring Autonomous System Relationships in the Internet,” IEEE/ACM Trans. Networking, vol. 9, no. 6, Dec. 2001.
[15] L. Gao and J. Rexford, “Stable Internet Routing without Global Coordination,” IEEE/ACM Trans. Networking, vol. 9, no. 6, Dec. 2001.
[16] G. Huston, “Interconnection, Peering and Settlements: Part I,” The Internet Protocol J., Mar. 1999.
[17] F. Baker, “Requirements for IP Version 4 Routers,” RFC 1812, June 1995.
[18] “Unicast Reverse Path Forwarding Loose Mode,” Cisco Systems, http://www.cisco.com/univercd/cc/td/doc/ product/software/ios122/122newf%t/122t/ 122t13ft_urpf.pdf, 2007.
[19] C. Jin, H. Wang, and K. Shin, “Hop-Count Filtering: An Effective Defense against Spoofed DDoS Traffic,” Proc. 10th ACM Conf. Computer and Comm. Security, Oct. 2003.
[20] A. Yaar, A. Perrig, and D. Song, “Pi: A Path Identification Mechanism to Defend against DDoS Attacks,” Proc. IEEE Symp. Security and Privacy, May 2003.
[21] A. Yaar, A. Perrig, and D. Song, “StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense,” IEEE J. Selected Areas in Comm., vol. 24, no. 10, Oct. 2006.
[22] J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang, “Save: Source Address Validity Enforcement Protocol,” Proc. IEEE INFOCOM, June 2002.
[23] A. Bremler-Barr and H. Levy, “Spoofing Prevention Method,” Proc. IEEE INFOCOM, Mar. 2005.
[24] X. Liu, X. Yang, D. Wetherall, and T. Anderson, “Efficient and Secure Source Authentication with Packet Passport,” Proc. Second Usenix Workshop Steps to Reducing Unwanted Traffic on the Internet (SRUTI '06), July 2006.
[25] P. Ferguson and D. Senie, Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing, RFC 2267, Jan. 1998.
[26] “The Team Cymru Bogon Route Server Project,” Team Cymru, http://www.cymru.com/BGPbogon-rs.html, 2007.
[27] J. Stewart, BGP4: Inter-Domain Routing in the Internet. Addison-Wesley, 1999.
[28] W. Xu and J. Rexford, “Miro: Multi-Path Interdomain Routing,” SIGCOMM Computer Comm. Rev., vol. 36, no. 4, Oct. 2006.
[29] L. Gao, T. Griffin, and J. Rexford, “Inherently Safe Backup Routing with BGP,” Proc. IEEE INFOCOM, 2001.
[30] J. Chandrashekar, Z. Duan, Z.-L. Zhang, and J. Krasky, “Limiting Path Exploration in BGP,” Proc. IEEE INFOCOM, Mar. 2005.
[31] V. Fuller, T. Li, J. Yu, and K. Varadhan, “Classless Inter-Domain Routing (CIDR): An Address Assignment and Aggregation Strategy,” RFC 1519, Sept. 1993.
[32] Z. Duan, X. Yuan, and J. Chandrashekar, “Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates,” Proc. IEEE INFOCOM, Apr. 2006.
[33] “Route Views Project,” Univ. of Oregon, http:/www.routeviews. org/, 2007.
[34] X. Dimitropoulos, D. Krioukov, and G. Riley, “Revisiting Internet As-Level Topology Discovery,” Proc. Sixth Int'l Workshop Passive and Active Measurement, Mar. 2005.
[35] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, “Inside the Slammer Worm,” Proc. IEEE Symp. Security and Privacy, 2003.
17 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool