Abstract
An innate deficiency of the Internet is its susceptibility to IP spoofing. Whereas a router uses a forwarding table to determine where it should send a packet, previous research has found that a router can similarly employ an incoming table to verify where a packet should come from, thereby detecting IP spoofing. Based on a previous protocol for building incoming tables, SAVE, this paper introduces new mechanisms that not only address a critical deficiency of SAVE when it is incrementally deployed (incoming table entries becoming obsolete), but can also push the filtering of spoofing packets towards the SAVE router that is closest to spoofers. With these new mechanisms, and under the assumption of incremental deployment, we further discuss the security of SAVE, evaluate its efficacy, accuracy, and overhead, and look into its deployment incentives. Our results show incoming-table-based IP spoofing detection is a feasible and effective solution.
This material is based upon work supported by the USA National Science Foundation under Grant No. 0520326. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Paxson, V.: An analysis of using reflectors for distributed denial-of-service attacks. ACM Computer Communications Review (CCR) 31(3), 38–47 (2001)
Jackson, D.: DNS amplification variation used in recent DDoS attacks (February 2009), http://www.secureworks.com/research/threats/dns-amplification/
Touch, J.: Defending TCP against spoofing attacks. RFCÂ 4953 (July 2007)
US-CERT: Multiple DNS implementations vulnerable to cache poisoning, Vulnerability Note VU 800113 (July 2008)
Morrow, C.: BLS FastAccess internal tech needed (January 2006), http://www.merit.edu/mail.archives/nanog/2006-01/msg00220.html
Beverly, R., Berger, A., Hyun, Y., Claffy, K.: Understanding the efficacy of deployed Internet source address validation filtering. In: Proceedings of the ACM Internet Measurement Conference (November 2009)
Ferguson, P., Senie, D.: Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. RFC 2827 (2000)
Baker, F., Savola, P.: Ingress Filtering for Multihomed Networks. RFC 3704 (2004)
Ehrenkranz, T., Li, J.: On the state of IP spoofing defense. ACM Transactions on Internet Technology 9(2), 1–29 (2009)
Park, K., Lee, H.: On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets. In: Proceedings of ACM SIGCOMM (2001)
Mirkovic, J., Kissel, E.: Comparative evaluation of spoofing defenses. IEEE Transactions on Dependable and Secure Computing 99 (2009) (PrePrints)
Li, J., Mirkovic, J., Ehrenkranz, T., Wang, M., Reiher, P., Zhang, L.: Learning the valid incoming direction of IP packets. Computer Networks 52(2), 399–417 (2008)
Li, J., Mirkovic, J., Wang, M., Reiher, P.L., Zhang, L.: SAVE: Source address validity enforcement protocol. In: Proceedings of IEEE INFOCOM (June 2002)
Kent, S., Lynn, C., Mikkelson, J., Seo, K.: Secure border gateway protocol (S-BGP) — real world performance and deployment issues. In: Proceedings of the Network and Distributed System Security Symposium (2000)
Goodell, G., Aiello, W., Griffin, T., Ioannidis, J., McDaniel, P., Rubin, A.: Working around BGP: An incremental approach to improving security and accuracy of interdomain routing. In: Proceedings of the Network and Distributed System Security Symposium (February 2003)
University of Oregon: Route Views Project, http://www.routeviews.org/
Tyan, H.Y., Sobeih, A., Hou, J.C.: Towards composable and extensible network simulation. In: Proceedings of the International Parallel and Distributed Processing Symposium (2005)
Mahadevan, P., Hubble, C., Krioukov, D.V., Huffaker, B., Vahdat, A.: Orbis: rescaling degree correlations to generate annotated Internet topologies. In: Proceedings of ACM SIGCOMM (2007)
Templeton, S.J., Levitt, K.E.: Detecting spoofed packets. In: Proceedings of the DARPA Information Survivability Conference and Exposition, vol. 1 (2003)
Paxson, V.: End-to-end routing behavior in the Internet. In: Proceedings of ACM SIGCOMM (1996)
Bremler-Barr, A., Levy, H.: Spoofing prevention method. In: Proceedings of IEEE INFOCOM (2005)
Liu, X., Li, A., Yang, X., Wetherall, D.: Passport: Secure and adoptable source authentication. In: Proceedings of USENIX Symposium on Networked Systems Design and Implementation (2008)
Duan, Z., Yuan, X., Chandrashekar, J.: Constructing inter-domain packet filters to control IP spoofing based on BGP updates. In: Proceedings of IEEE INFOCOM (2006)
Lee, H., Kwon, M., Hasker, G., Perrig, A.: BASE: An incrementally deployable mechanism for viable IP spoofing prevention. In: Proceedings of the ACM Symposium on Information, Computer, and Communication Security (2007)
Yaar, A., Perrig, A., Song, D.: Pi: A path identification mechanism to defend against DDoS attack. In: Proceedings of the IEEE Symposium on Security and Privacy (2003)
Yaar, A., Perrig, A., Song, D.: StackPi: New packet marking and filtering mechanisms for DDoS and IP spoofing defense. IEEE Journal of Selected Areas in Communications 24(10), 1853–1863 (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Ehrenkranz, T., Li, J., McDaniel, P. (2010). Realizing a Source Authentic Internet. In: Jajodia, S., Zhou, J. (eds) Security and Privacy in Communication Networks. SecureComm 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 50. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16161-2_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-16161-2_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-16160-5
Online ISBN: 978-3-642-16161-2
eBook Packages: Computer ScienceComputer Science (R0)