Skip to main content
SpringerLink
Log in

Realizing a Source Authentic Internet

  • Conference paper
Security and Privacy in Communication Networks (SecureComm 2010)

Abstract

An innate deficiency of the Internet is its susceptibility to IP spoofing. Whereas a router uses a forwarding table to determine where it should send a packet, previous research has found that a router can similarly employ an incoming table to verify where a packet should come from, thereby detecting IP spoofing. Based on a previous protocol for building incoming tables, SAVE, this paper introduces new mechanisms that not only address a critical deficiency of SAVE when it is incrementally deployed (incoming table entries becoming obsolete), but can also push the filtering of spoofing packets towards the SAVE router that is closest to spoofers. With these new mechanisms, and under the assumption of incremental deployment, we further discuss the security of SAVE, evaluate its efficacy, accuracy, and overhead, and look into its deployment incentives. Our results show incoming-table-based IP spoofing detection is a feasible and effective solution.

This material is based upon work supported by the USA National Science Foundation under Grant No. 0520326. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Paxson, V.: An analysis of using reflectors for distributed denial-of-service attacks. ACM Computer Communications Review (CCR) 31(3), 38–47 (2001)

    Article  Google Scholar 

  2. Jackson, D.: DNS amplification variation used in recent DDoS attacks (February 2009), http://www.secureworks.com/research/threats/dns-amplification/

  3. Touch, J.: Defending TCP against spoofing attacks. RFC 4953 (July 2007)

    Google Scholar 

  4. US-CERT: Multiple DNS implementations vulnerable to cache poisoning, Vulnerability Note VU 800113 (July 2008)

    Google Scholar 

  5. Morrow, C.: BLS FastAccess internal tech needed (January 2006), http://www.merit.edu/mail.archives/nanog/2006-01/msg00220.html

  6. Beverly, R., Berger, A., Hyun, Y., Claffy, K.: Understanding the efficacy of deployed Internet source address validation filtering. In: Proceedings of the ACM Internet Measurement Conference (November 2009)

    Google Scholar 

  7. Ferguson, P., Senie, D.: Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. RFC 2827 (2000)

    Google Scholar 

  8. Baker, F., Savola, P.: Ingress Filtering for Multihomed Networks. RFC 3704 (2004)

    Google Scholar 

  9. Ehrenkranz, T., Li, J.: On the state of IP spoofing defense. ACM Transactions on Internet Technology 9(2), 1–29 (2009)

    Article  Google Scholar 

  10. Park, K., Lee, H.: On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets. In: Proceedings of ACM SIGCOMM (2001)

    Google Scholar 

  11. Mirkovic, J., Kissel, E.: Comparative evaluation of spoofing defenses. IEEE Transactions on Dependable and Secure Computing 99 (2009) (PrePrints)

    Google Scholar 

  12. Li, J., Mirkovic, J., Ehrenkranz, T., Wang, M., Reiher, P., Zhang, L.: Learning the valid incoming direction of IP packets. Computer Networks 52(2), 399–417 (2008)

    Article  MATH  Google Scholar 

  13. Li, J., Mirkovic, J., Wang, M., Reiher, P.L., Zhang, L.: SAVE: Source address validity enforcement protocol. In: Proceedings of IEEE INFOCOM (June 2002)

    Google Scholar 

  14. Kent, S., Lynn, C., Mikkelson, J., Seo, K.: Secure border gateway protocol (S-BGP) — real world performance and deployment issues. In: Proceedings of the Network and Distributed System Security Symposium (2000)

    Google Scholar 

  15. Goodell, G., Aiello, W., Griffin, T., Ioannidis, J., McDaniel, P., Rubin, A.: Working around BGP: An incremental approach to improving security and accuracy of interdomain routing. In: Proceedings of the Network and Distributed System Security Symposium (February 2003)

    Google Scholar 

  16. University of Oregon: Route Views Project, http://www.routeviews.org/

  17. Tyan, H.Y., Sobeih, A., Hou, J.C.: Towards composable and extensible network simulation. In: Proceedings of the International Parallel and Distributed Processing Symposium (2005)

    Google Scholar 

  18. Mahadevan, P., Hubble, C., Krioukov, D.V., Huffaker, B., Vahdat, A.: Orbis: rescaling degree correlations to generate annotated Internet topologies. In: Proceedings of ACM SIGCOMM (2007)

    Google Scholar 

  19. Templeton, S.J., Levitt, K.E.: Detecting spoofed packets. In: Proceedings of the DARPA Information Survivability Conference and Exposition, vol. 1 (2003)

    Google Scholar 

  20. Paxson, V.: End-to-end routing behavior in the Internet. In: Proceedings of ACM SIGCOMM (1996)

    Google Scholar 

  21. Bremler-Barr, A., Levy, H.: Spoofing prevention method. In: Proceedings of IEEE INFOCOM (2005)

    Google Scholar 

  22. Liu, X., Li, A., Yang, X., Wetherall, D.: Passport: Secure and adoptable source authentication. In: Proceedings of USENIX Symposium on Networked Systems Design and Implementation (2008)

    Google Scholar 

  23. Duan, Z., Yuan, X., Chandrashekar, J.: Constructing inter-domain packet filters to control IP spoofing based on BGP updates. In: Proceedings of IEEE INFOCOM (2006)

    Google Scholar 

  24. Lee, H., Kwon, M., Hasker, G., Perrig, A.: BASE: An incrementally deployable mechanism for viable IP spoofing prevention. In: Proceedings of the ACM Symposium on Information, Computer, and Communication Security (2007)

    Google Scholar 

  25. Yaar, A., Perrig, A., Song, D.: Pi: A path identification mechanism to defend against DDoS attack. In: Proceedings of the IEEE Symposium on Security and Privacy (2003)

    Google Scholar 

  26. Yaar, A., Perrig, A., Song, D.: StackPi: New packet marking and filtering mechanisms for DDoS and IP spoofing defense. IEEE Journal of Selected Areas in Communications 24(10), 1853–1863 (2006)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer and Information Science, University of Oregon, Eugene, OR, 97403, USA

    Toby Ehrenkranz & Jun Li

  2. Department of Computer Science and Engineering, Pennsylvania State University, University Park, PA, 16802, USA

    Patrick McDaniel

Authors
  1. Toby Ehrenkranz
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jun Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Patrick McDaniel
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Center for Secure Information Systems, George Mason University, 4400 University Drive, 22030-4422, Fairfax, VA, USA

    Sushil Jajodia

  2. Institute for Infocomm Research, 1 Fusionopolis Way, 21-01 Connexis, 138632, South Tower, Singapore

    Jianying Zhou

Rights and permissions

Reprints and permissions

Copyright information

© 2010 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Ehrenkranz, T., Li, J., McDaniel, P. (2010). Realizing a Source Authentic Internet. In: Jajodia, S., Zhou, J. (eds) Security and Privacy in Communication Networks. SecureComm 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 50. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16161-2_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-16161-2_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-16160-5

  • Online ISBN: 978-3-642-16161-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation