Address Protection-as-a-Service an Inter-AS Framework for IP Spoofing Resilience

IP spoofing, which is generally used for anonymity and amplification, constantly leads to pervasive distributed denial-of-service (DDoS) attacks. To mitigate IP spoofing, source address validation is divided into access network, intra-autonomous system (AS), and inter-AS levels. However, because of ambiguous incentives, heterogeneous demands, and fragile trust, techniques for the inter-AS level fail in practice, and thus, IP spoofing is still considered as an almost open vulnerability of the entire Internet. In this study, we aim to transform the inter-AS source address validation into an "address protection" service, and we mitigate IP spoofing through an economics-driven framework - apf ('a'ddress 'p'rotection 'f'ramework). In such a protection, the addresses belonging to one AS can be prevented from being spoofed by others. Behind the framework, such a service will be consolidated by a unified trust anchor with a uniform interface, and deployer ASes will be free to select their preferred techniques and invoke the service when needed. Based on the empirical data and theoretical analysis, we prove that the service is acceptable for triggering economics-driven implementation under the guidance of the apf framework.

[1]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[2]  Robert Beverly,et al.  Understanding the efficacy of deployed internet source address validation filtering , 2009, IMC '09.

[3]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[4]  Amir Herzberg,et al.  Jumpstarting BGP Security with Path-End Validation , 2016, SIGCOMM.

[5]  Christian Rossow,et al.  Exit from Hell? Reducing the Impact of Amplification DDoS Attacks , 2014, USENIX Security Symposium.

[6]  Jun Li,et al.  Learning the valid incoming direction of IP packets , 2008, Comput. Networks.

[7]  Vasileios Giotsas,et al.  AS relationships, customer cones, and validation , 2013, Internet Measurement Conference.

[8]  Xin Yuan,et al.  Controlling IP Spoofing through Interdomain Packet Filters , 2008, IEEE Transactions on Dependable and Secure Computing.

[9]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[10]  Steve Uhlig,et al.  Modeling the routing of an autonomous system with C-BGP , 2005, IEEE Network.

[11]  Michalis Faloutsos,et al.  On power-law relationships of the Internet topology , 1999, SIGCOMM '99.

[12]  Sharon Goldberg,et al.  BGP security in partial deployment: is the juice worth the squeeze? , 2013, SIGCOMM.

[13]  Xin Liu,et al.  Passport: Secure and Adoptable Source Authentication , 2008, NSDI.

[14]  Sharon Goldberg,et al.  Let the market drive deployment: a strategy for transitioning to BGP security , 2011, SIGCOMM.

[15]  Anat Bremler-Barr,et al.  Spoofing prevention method , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[16]  Ke Xu,et al.  BGP Route Selection Notice , 2006, ICOIN.

[17]  Jun Bi,et al.  DISCS: A DIStributed Collaboration System for Inter-AS Spoofing Defense , 2015, 2015 44th International Conference on Parallel Processing.

[18]  Gang Ren,et al.  A Source Address Validation Architecture (SAVA) Testbed and Deployment Experience , 2008, RFC.

[19]  Wang Lijun,et al.  BGP route selection notice , 2006 .

[20]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[21]  Marcelo Bagnulo,et al.  Source Address Validation Improvement (SAVI) Framework , 2013, RFC.

[22]  Albert Cabellos-Aparicio,et al.  IPchain: Securing IP Prefix Allocation and Delegation with Blockchain , 2018, 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData).

[23]  Stephen T. Kent,et al.  Certificate Policy (CP) for the Resource Public Key Infrastructure (RPKI) , 2012, RFC.