Realizing a Source Authentic Internet

An innate deficiency of the Internet is its susceptibility to IP spoofing. Whereas a router uses a forwarding table to determine where it should send a packet, previous research has found that a router can similarly employ an incoming table to verify where a packet should come from, thereby detecting IP spoofing. Based on a previous protocol for building incoming tables, SAVE, this paper introduces new mechanisms that not only address a critical deficiency of SAVE when it is incrementally deployed (incoming table entries becoming obsolete), but can also push the filtering of spoofing packets towards the SAVE router that is closest to spoofers. With these new mechanisms, and under the assumption of incremental deployment, we further discuss the security of SAVE, evaluate its efficacy, accuracy, and overhead, and look into its deployment incentives. Our results show incoming-table-based IP spoofing detection is a feasible and effective solution.

[1]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[2]  Robert Beverly,et al.  Understanding the efficacy of deployed internet source address validation filtering , 2009, IMC '09.

[3]  Joseph D. Touch,et al.  Defending TCP Against Spoofing Attacks , 2007, RFC.

[4]  Jelena Mirkovic,et al.  Comparative Evaluation of Spoofing Defenses , 2011, IEEE Transactions on Dependable and Secure Computing.

[5]  Jun Li,et al.  SAVE: source address validity enforcement protocol , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[6]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[7]  Patrick D. McDaniel,et al.  Working around BGP: An Incremental Approach to Improving Security and Accuracy in Interdomain Routing , 2003, NDSS.

[8]  Jun Li,et al.  On the state of IP spoofing defense , 2009, TOIT.

[9]  Prashant J. Shenoy,et al.  Resource overbooking and application profiling in a shared Internet hosting platform , 2009, TOIT.

[10]  Fred Baker,et al.  Ingress Filtering for Multihomed Networks , 2004, RFC.

[11]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) - Real World Performance and Deployment Issues , 2000, NDSS.

[12]  Xin Liu,et al.  Passport: Secure and Adoptable Source Authentication , 2008, NSDI.

[13]  Jennifer C. Hou,et al.  Towards composable and extensible network simulation , 2005, 19th IEEE International Parallel and Distributed Processing Symposium.

[14]  Heejo Lee,et al.  BASE: an incrementally deployable mechanism for viable IP spoofing prevention , 2007, ASIACCS '07.

[15]  Kihong Park,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[16]  Anat Bremler-Barr,et al.  Spoofing prevention method , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[17]  Jun Li,et al.  Learning the valid incoming direction of IP packets , 2008, Comput. Networks.

[18]  Steven J. Templeton,et al.  Detecting spoofed packets , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[19]  V. Paxson End-to-end routing behavior in the internet , 2006, CCRV.

[20]  Vern Paxson,et al.  An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.

[21]  Priya Mahadevan,et al.  Orbis: rescaling degree correlations to generate annotated internet topologies , 2007, SIGCOMM '07.

[22]  Dawn Xiaodong Song,et al.  StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense , 2006, IEEE Journal on Selected Areas in Communications.