BASE: an incrementally deployable mechanism for viable IP spoofing prevention

DoS attacks use IP spoofing to forge the source IP address of packets, and thereby hide the identity of the source. This makes it hard to defend against DoS attacks, so IP spoofing will still be used as an aggressive attack mechanism even under distributed attack environment. While many IP spoofing prevention techniques have been proposed, none have achieved widespread real-world use. One main reason is the lack of properties favoring incremental deployment, an essential component for the adoption of new technologies. A viable solution needs to be not only technically sound but also economically acceptable. An incrementally deploy-able protocol should have three properties: initial benefits for early adopters, incremental benefits for subsequent adopters, and effectiveness under partial deployment. Since no previous anti-spoofing solution satisfies all three of these properties, we propose a new mechanism called "BGP Anti-Spoofing Extension" (BASE). The BASE mechanism is an anti-spoofing protocol designed to fulfill the incremental deployment properties necessary for adoption in current Internet environments. Based on simulations we ran using a model of Internet AS connectivity, BASE shows desirable IP spoofing prevention capabilities under partial deployment. We find that just 30% deployment can drop about 97% of attack packets. Therefore, BASE not only provides adopters' benefit but also outperforms previous anti-spoofing mechanisms.

[1]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[2]  Jon Postel,et al.  Internet Protocol , 1981, RFC.

[3]  Jun Li,et al.  SAVE: source address validity enforcement protocol , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[4]  Heejo Lee,et al.  On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[5]  Ratul Mahajan,et al.  The causes of path inflation , 2003, SIGCOMM '03.

[6]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[7]  Renata Teixeira,et al.  General Terms Measurement , 2022 .

[8]  Geoffrey A. Moore Crossing the chasm : marketing and selling high-tech products to mainstream customers , 1999 .

[9]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[10]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[11]  Michalis Faloutsos,et al.  On routing asymmetry in the Internet , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..

[12]  John V. Guttag,et al.  ANTS: a toolkit for building and dynamically deploying network protocols , 1998, 1998 IEEE Open Architectures and Network Programming.

[13]  Abhijit Bose,et al.  Delayed internet routing convergence , 2000, SIGCOMM.

[14]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM 2001.

[15]  Michael K. Reiter,et al.  An empirical analysis of target-resident DoS filters , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[16]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[17]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[18]  Lorenzo Cavallaro,et al.  Less harm, less worry or how to improve network security by bounding system offensiveness , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[19]  Hassan Aljifri,et al.  IP Traceback using header compression , 2003, Comput. Secur..

[20]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[21]  Ted Krovetz,et al.  UMAC: Message Authentication Code using Universal Hashing , 2006, RFC.