2013 IEEE 33rd International Conference on Distributed Computing Systems Workshops (2005)
Columbus, Ohio, USA
June 6, 2005 to June 10, 2005
Rajesh Talpade , Telcordia Technologies, Inc.
Larry Wong , Telcordia Technologies, Inc.
Abhrajit Ghosh , Telcordia Technologies, Inc.
Giovanni Di Crescenzo , Telcordia Technologies, Inc.
Cyber-attackers often use incorrect source IP addresses in attack packets (spoofed IP packets) to achieve anonymity, reduce the risk of trace-back and avoid detection. We present the predictive ingress filtering (InFilter) approach for network-based detection of spoofed IP packets near cyber-attack targets. Our InFilter hypothesis states that traffic entering an IP network from a specific source frequently uses the same ingress point. We have empirically validated this hypothesis by analysis of trace-routes to 20 Internet targets from 24 Looking-Glass sites, and 30-days of Border Gateway Protocol-derived path information for the same 20 targets. We have developed a system architecture and software implementation based on the InFilter approach that can be used at Border Routers of large IP networks to detect spoofed IP traffic. Our implementation had a detection rate of about 80% and a false positive rate of about 2% in testbed experiments using Internet traffic and real cyber-attacks.
Rajesh Talpade, Larry Wong, Abhrajit Ghosh, Giovanni Di Crescenzo, "InFilter: Predictive Ingress Filtering to Detect Spoofed IP Traffic", 2013 IEEE 33rd International Conference on Distributed Computing Systems Workshops, vol. 02, no. , pp. 99-106, 2005, doi:10.1109/ICDCSW.2005.78