Packet forwarding with source verification

Routers in the Internet do not perform any verification of the source IP address contained in the packets, leading to the possibility of IP spoofing. The lack of such verification opens the door for a variety of vulnerabilities, including denial-of-service (DoS) and man-in-the-middle attacks. Currently proposed spoofing prevention approaches either focus on protecting only the target of such attacks and not the routing fabric used to forward spoofed packets, or fail under commonly occurring situations like path asymmetry. With incremental deployability in mind, this paper presents two complementary hop-wise packet tagging approaches that equip the routers to drop spoofed packets close to their point of origin. Our simulations show that these approaches dramatically reduce the amount of spoofing possible even under partial deployment.

[1]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[2]  V. Paxson End-to-end routing behavior in the internet , 2006, CCRV.

[3]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[4]  Carey L. Williamson,et al.  An analysis of TCP reset behaviour on the internet , 2005, CCRV.

[5]  Volker Roth,et al.  Listen and whisper: security mechanisms for BGP , 2004 .

[6]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[7]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[8]  Evangelos Kranakis,et al.  Pretty Secure BGP, psBGP , 2005, NDSS.

[9]  Xiaowei Yang,et al.  A DoS-limiting network architecture , 2005, SIGCOMM '05.

[10]  Xin Liu,et al.  Efficient and Secure Source Authentication with Packet Passports , 2006, SRUTI.

[11]  Gary Scott Malkin,et al.  Traceroute Using an IP Option , 1993, RFC.

[12]  Markus Jakobsson,et al.  Efficient Constructions for One-Way Hash Chains , 2005, ACNS.

[13]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[14]  Heejo Lee,et al.  BASE: an incrementally deployable mechanism for viable IP spoofing prevention , 2007, ASIACCS '07.

[15]  Jun Li,et al.  Large-scale IP traceback in high-speed Internet: practical techniques and theoretical foundation , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[16]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[17]  Yakov Rekhter,et al.  BGP Extended Communities Attribute , 2006, RFC.

[18]  Jun Li,et al.  SAVE: source address validity enforcement protocol , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[19]  Michalis Faloutsos,et al.  Quantifying routing asymmetry in the Internet at the AS level , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[20]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[21]  Michael T. Goodrich,et al.  Efficient packet marking for large-scale IP traceback , 2002, CCS '02.

[22]  Heejo Lee,et al.  On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[23]  Leslie Lamport,et al.  Password authentication with insecure communication , 1981, CACM.

[24]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[25]  Robert Beverly,et al.  The spoofer project: inferring the extent of source address filtering on the internet , 2005 .

[26]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[27]  Alex C. Snoeren,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[28]  Anat Bremler-Barr,et al.  Spoofing prevention method , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[29]  Yih-Chun Hu,et al.  SPV: secure path vector routing for securing BGP , 2004, SIGCOMM.

[30]  Fred Baker,et al.  Ingress Filtering for Multihomed Networks , 2004, RFC.

[31]  CISCO CATALYST INTEGRATED SECURITY — ENABLING THE SELF-DEFENDING NETWORK , 2008 .

[32]  Bruce M. Maggs,et al.  R-BGP: Staying Connected in a Connected World , 2007, NSDI.

[33]  Dawn Xiaodong Song,et al.  FIT: fast Internet traceback , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[34]  Tony Li,et al.  Cisco Hot Standby Router Protocol (HSRP) , 1998, RFC.

[35]  Robert Beverly,et al.  The Spoofer Project: Inferring the Extent of Internet Source Address Filtering on the Internet , 2005, SRUTI.

[36]  Ravishanker Chandra,et al.  BGP Communities Attribute , 1996, RFC.

[37]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[38]  David R. Cheriton,et al.  Active Internet Traffic Filtering: Real-time Response to Denial of Service Attacks , 2003, ArXiv.