The Community for Technology Leaders
RSS Icon
Issue No.02 - March/April (2011 vol.8)
pp: 218-232
Jelena Mirkovic , USC Information Sciences Institute, Marina Del Rey
Ezra Kissel , University of Delaware, Newark
IP spoofing exacerbates many security threats, and reducing it would greatly enhance Internet security. Seven defenses that filter spoofed traffic have been proposed to date; three are designed for end-network deployment, while four assume some collaboration with core routers for packet marking or filtering. Because each defense has been evaluated in a unique setting, the following important questions remain unanswered: 1) Can end networks effectively protect themselves or is core support necessary? 2) Which defense performs best assuming sparse deployment? 3) How to select core participants to achieve best protection with fewest deployment points? This paper answers the above questions by: 1) formalizing the problem of spoofed traffic filtering and defining novel effectiveness measures, 2) observing each defense as selfish (it helps its participants) or altruistic (it helps everyone) and differentiating their performance goals, 3) defining optimal core deployment points for defenses that need core support, and 4) evaluating all defenses in a common and realistic setting. Our results offer a valuable insight into advantages and limitations of the proposed defenses, and uncover the relationship between any spoofing defense's performance and the Internet's topology.
IP spoofing, packet filtering, spoofing defense evaluation.
Jelena Mirkovic, Ezra Kissel, "Comparative Evaluation of Spoofing Defenses", IEEE Transactions on Dependable and Secure Computing, vol.8, no. 2, pp. 218-232, March/April 2011, doi:10.1109/TDSC.2009.44
[1] Advanced Network Architecture Group, ANA Spoofer Project, http:/, 2009.
[2] P. Ferguson and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing," IETF RFC 2267, 1998.
[3] D. Moore, C. Shannon, D.J. Brown, G.M. Voelker, and S. Savage, "Inferring Internet Denial-of-Service Activity," ACM Trans. Computer Systems, vol. 24, no. 2, pp. 115-139, May 2006.
[4] D. Kawamoto, "DNS Recursion Leads to Nastier DoS Attacks,", Mar. 2006.
[5] C. Jin, H. Wang, and K.G. Shin, "Hop-Count Filtering: An Effective Defense against Spoofed DDoS Traffic," Proc. 10th ACM Conf. Computer and Comm. Security, 2003.
[6] K. Park and H. Lee, "On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets," Proc. ACM SIGCOMM, 2001.
[7] Z. Duan, X. Yuan, and J. Chandrashekar, "Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates," Proc. IEEE INFOCOM, 2006.
[8] A. Bremler-Barr and H. Levy, "Spoofing Prevention Method," Proc. IEEE INFOCOM, 2005.
[9] X. Liu, X. Yang, D. Wetherall, and T. Anderson, "Efficient and Secure Source Authentication with Packet Passports," Proc. Conf. Steps to Reducing Unwanted Traffic on the Internet (SRUTI), 2006.
[10] A. Perrig, D. Song, and A. Yaar, "StackPi: A New Defense Mechanism against IP Spoofing and DDoS Attacks," Technical Report CMU-CS-02-208, Feb. 2003.
[11] M. Collins, T.J. Shimeall, S. Faber, J. Janies, R. Weaver, and M. De Shon, "Predicting Future Botnet Addresses with Uncleanliness," Proc. Internet Measurement Conf. (IMC), 2007.
[12] V. Yegneswaran, P. Barford, and S. Jha, "Global Intrusion Detection in the DOMINO Overlay System," Proc. Network and Distributed System Security Symp. (NDSS), 2004.
[13] Y. He, G. Siganos, M. Faloutsos, and S.V. Krishnamurthy, "A Systematic Framework for Unearthing the Missing Links: Measurements and Impact," Proc. Symp. Networked Systems Design Implementation (NSDI '07), Apr. 2007.
[14], BGP Core Routing Table Size, http://www. routeviews.orgdynamics /, 2009.
[15] F. Wang and L. Gao, "On Inferring and Characterizing Internet Routing Policies," Proc. Internet Measurement Conf., Oct. 2003.
[16] RouteViews Archive, Univ. of Oregon, http:/www.routeviews. org , 2009.
[17] D. Moore, C. Shannon, G.M. Voelker, and S. Savage, "Internet Quarantine: Requirements for Containing Self-Propagating Code," Proc. IEEE INFOCOM, 2003.
[18] W. Muhlbauer, A. Feldmann, O. Maennel, M. Roughan, and S. Uhlig, "Building an AS-Topology Model that Captures Route Diversity," Proc. ACM SIGCOMM, 2006.
[19] Internet Routing Registries, http:/, 2009.
[20] CAIDA, Skitter Data.
[21] The DIMES Project, DIMES Web Page, http:/www.netdimes. org/, 2009.
[22] B. Zhang, R. Liu, D. Massey, and L. Zhang, "Collecting the Internet AS-Level Topology," Proc. ACM SIGCOMM Computer Comm. Review (CCR), Jan. 2005.
[23] G. Siganos and M. Faloutsos, "Analyzing BGP Policies: Methodology and Tool," Proc. IEEE INFOCOM, 2004.
[24] R.V. Oliveira, D. Pei, W. Willinger, B. Zhang, and L. Zhang, "In Search of the Elusive Ground Truth: The Internet's AS-Level Connectivity Structure," Proc. ACM SIGMETRICS, 2008.
[25] D.S. Hochbaum, Approximation Algorithms for NP-Hard Problems. Course Tech nology, 1996.
[26] S.N. Dorogovtsev and J.F.F. Mendes, Evolution of Networks: From Biological Nets to the Internet and WWW. Oxford Univ. Press, 2003.
[27] P. Mahadevan, D. Krioukov, M. Fomenkov, B. Huffaker, X. Dimitropoulos, K. Claffy, and A. Vahdat, "The Internet AS-Level Topology: Three Data Sources and One Definitive Metric," technical report, UCSD, 2005.
[28] D. Alderson, L. Li, W. Willinger, and J.C. Doyle, "Understanding Internet Topology: Principles, Models, and Validation," IEEE/ACM Trans. Networking, vol. 13, no. 6, pp. 1205-1218, Dec. 2005.
[29] American Registry for Internet Numbers, WHOIS, http://www.arin.netwhois, 2007.
24 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool