Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates

The Distributed Denial-of-Service (DDoS) attack is a serious threat to the legitimate use of the Internet. Prevention mechanisms are thwarted by the ability of attackers to forge or spoof the source addresses in IP packets. By employing IP spoofing, attackers can evade detection and put a substantial burden on the destination network for policing attack packets. In this paper, we propose an inter-domain packet filter (IDPF) architecture that can mitigate the level of IP spoofing on the Internet. A key feature of our scheme is that it does not require global routing information. IDPFs are constructed from the information implicit in Border Gateway Protocol (BGP) route updates and are deployed in network border routers. We establish the conditions under which the IDPF framework correctly works in that it does not discard packets with valid source addresses. Based on extensive simulation studies, we show that, even with partial deployment on the Internet, IDPFs can proactively limit the spoofing capability of attackers. In addition, they can help localize the origin of an attack packet to a small number of candidate networks.

[1]  Roger S. Pressman,et al.  Software Engineering: A Practitioner's Approach , 1982 .

[2]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[3]  Vern Paxson,et al.  An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.

[4]  Vince Fuller,et al.  Classless Inter-Domain Routing (CIDR): an Address Assignment and Aggregation Strategy , 1993, RFC.

[5]  Dmitri V. Krioukov,et al.  Revisiting Internet AS-Level Topology Discovery , 2005, PAM.

[6]  Yin Zhang,et al.  On AS-level path inference , 2005, SIGMETRICS '05.

[7]  John W. Stewart,et al.  BGP4 : inter-domain routing in the Internet , 1998 .

[8]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[9]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[10]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[11]  Jaideep Chandrashekar,et al.  Limiting path exploration in BGP , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[12]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[13]  Hassan Aljifri,et al.  IP Traceback using header compression , 2003, Comput. Secur..

[14]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[15]  Robert Beverly,et al.  The spoofer project: inferring the extent of source address filtering on the internet , 2005 .

[16]  Anat Bremler-Barr,et al.  Spoofing prevention method , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[17]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[18]  Alex C. Snoeren,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[19]  Ramesh Govindan,et al.  An analysis of Internet inter-domain topology and route stability , 1997, Proceedings of INFOCOM '97.

[20]  Lixin Gao On inferring autonomous system relationships in the internet , 2001, TNET.

[21]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[22]  Cheng Jin,et al.  Defense Against Spoofed IP Traffic Using Hop-Count Filtering , 2007, IEEE/ACM Transactions on Networking.

[23]  Roger Wattenhofer,et al.  The impact of Internet policy and topology on delayed routing convergence , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[24]  Jun Li,et al.  SAVE: source address validity enforcement protocol , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[25]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[26]  Fred Baker,et al.  Requirements for IP Version 4 Routers , 1995, RFC.

[27]  Robert Beverly,et al.  The Spoofer Project: Inferring the Extent of Internet Source Address Filtering on the Internet , 2005, SRUTI.

[28]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[29]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[30]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[31]  G. W. Stewart Dns cache poisoning-the next generation , 2003 .