Coordination of anti-spoofing mechanisms in partial deployments

Internet protocol (IP) spoofing is a serious problem on the Internet. It is an attractive technique for adversaries who wish to amplify their network attacks and retain anonymity. Many approaches have been proposed to prevent IP spoofing attacks; however, they do not address a significant deployment issue, i.e., filtering inefficiency caused by a lack of deployment incentives for adopters. To defeat attacks effectively, one mechanism must be widely deployed on the network; however, the majority of the anti-spoofing mechanisms are unsuitable to solve the deployment issue by themselves. Each mechanism can work separately; however, their defensive power is considerably weak when insufficiently deployed. If we coordinate partially deployed mechanisms such that they work together, they demonstrate considerably superior performance by creating a synergy effect that overcomes their limited deployment. Therefore, we propose a universal anti-spoofing (UAS) mechanism that incorporates existing mechanisms to thwart IP spoofing attacks. In the proposed mechanism, intermediate routers utilize any existing anti-spoofing mechanism that can ascertain if a packet is spoofed and records this decision in the packet header. The edge routers of a victim network can estimate the forgery of a packet based on this information sent by the upstream routers. The results of experiments conducted with real Internet topologies indicate that UAS reduces false alarms up to 84.5% compared to the case where each mechanism operates individually.

[1]  Heejo Lee,et al.  UAS: Universal anti-spoofing by incorporating existing mechanisms , 2013, 38th Annual IEEE Conference on Local Computer Networks.

[2]  Micah Adler,et al.  Trade-offs in probabilistic packet marking for IP traceback , 2005, JACM.

[3]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[4]  Heejo Lee,et al.  APFS: Adaptive Probabilistic Filter Scheduling against distributed denial-of-service attacks , 2013, Comput. Secur..

[5]  Heejo Lee,et al.  BASE: an incrementally deployable mechanism for viable IP spoofing prevention , 2007, ASIACCS '07.

[6]  Dawn Xiaodong Song,et al.  StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense , 2006, IEEE Journal on Selected Areas in Communications.

[7]  Craig Partridge,et al.  Single-packet IP traceback , 2002, TNET.

[8]  Jun Bi,et al.  VASE: Filtering IP spoofing traffic with agility , 2013, Comput. Networks.

[9]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[10]  Heejo Lee,et al.  An incrementally deployable anti-spoofing mechanism for software-defined networks , 2015, Comput. Commun..

[11]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[12]  Jun Li,et al.  On the state of IP spoofing defense , 2009, TOIT.

[13]  Minyi Guo,et al.  A dynamical Deterministic Packet Marking scheme for DDoS traceback , 2013, 2013 IEEE Global Communications Conference (GLOBECOM).

[14]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[15]  Fred Baker,et al.  Ingress Filtering for Multihomed Networks , 2004, RFC.

[16]  M. Abliz Internet Denial of Service Attacks and Defense Mechanisms , 2011 .

[17]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[18]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[19]  Cheng Jin,et al.  Defense Against Spoofed IP Traffic Using Hop-Count Filtering , 2007, IEEE/ACM Transactions on Networking.

[20]  Jun Bi,et al.  A deployable approach for inter-AS anti-spoofing , 2011, 2011 19th IEEE International Conference on Network Protocols.

[21]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[22]  Ion Stoica,et al.  Providing guaranteed services without per flow management , 1999, SIGCOMM '99.

[23]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[24]  Robert Beverly,et al.  Understanding the efficacy of deployed internet source address validation filtering , 2009, IMC '09.

[25]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[26]  Georgios Kambourakis,et al.  DNS amplification attack revisited , 2013, Comput. Secur..

[27]  Elaine Shi,et al.  Portcullis: protecting connection setup from denial-of-capability attacks , 2007, SIGCOMM '07.

[28]  Saumil Shah,et al.  Web Hacking: Attacks and Defense , 2002 .

[29]  Anat Bremler-Barr,et al.  Spoofing prevention method , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[30]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[31]  Athanasios V. Vasilakos,et al.  Toward Incentivizing Anti-Spoofing Deployment , 2014, IEEE Transactions on Information Forensics and Security.

[32]  Wanlei Zhou,et al.  Modeling malicious activities in cyber space , 2015, IEEE Network.

[33]  Athanasios V. Vasilakos,et al.  Passive IP Traceback: Disclosing the Locations of IP Spoofers From Path Backscatter , 2015, IEEE Transactions on Information Forensics and Security.