Issue No. 01 - January-March (2008 vol. 5)
The Distributed Denial of Services (DDoS) attack is a serious threat to the legitimate use of the Internet. Prevention mechanisms are thwarted by the ability of attackers to forge, or spoof, the source addresses in IP packets. By employing IP spoofing, attackers can evade detection and put a substantial burden on the destination network for policing attack packets. In this paper, we propose an inter-domain packet filter (IDPF) architecture that can mitigate the level of IP spoofing on the Internet. A key feature of our scheme is that it does not require global routing information. IDPFs are constructed from the information implicit in BGP route updates and are deployed in network border routers. We establish the conditions under which the IDPF framework works correctly in that it does not discard packets with valid source addresses. Based on extensive simulation studies, we show that even with partial deployment on the Internet, IDPFs can proactively limit the spoofing capability of attackers. In addition, they can help localize the origin of an attack packet to a small number of candidate networks.
Network-level security and protection, Routing Protocols, Infrastructure Protection, IP Spoofing, DDoS, BGP
Zhenhai Duan, Xin Yuan, Jaideep Chandrashekar, "Controlling IP Spoofing through Interdomain Packet Filters", IEEE Transactions on Dependable and Secure Computing, vol. 5, no. , pp. 22-36, January-March 2008, doi:10.1109/TDSC.2007.70224