FaaS: filtering IP spoofing traffic as a service
暂无分享,去创建一个
IP spoofing weakens network security and accountability. Although a lot of techniques have been proposed to prevent IP spoofing, most of them are not implemented by device vendors, and the only available anti-spoofing tool in practice is ingress filtering [3]. However, ISPs do not have incentives to deploy ingress filtering as it only prohibits a deployer from sending spoofing traffic, but it hardly protects the deployer from receiving spoofing traffic. Recent research shows that the deployment of ingress filtering hasn’t been improved in four years, and the Internet is still vulnerable to IP spoofing [2]. The reason that ingress filtering lacks deployment incentive can also be explained from an economic perspective, i.e. deploying ingress filtering is not profitable, because it introduces extra operational cost without generating sufficient revenue for the deployers. In this paper, we seek to increase the deployers’ economic revenue to incentivize the deployment of ingress filtering. Our proposal is Filtering as a Service (FaaS), a mechanism that creates a market for the IP spoofing prevention service. As shown in Figure 1, an Autonomous System (AS) in need of IP spoofing prevention (FaaS customer, or f -customer) can purchase the service from any AS who has deployed ingress filtering (f -provider). An f customer benefits from its f -providers, and rewards them with service payments. An f -provider deploys ingress filtering, and opens a source of revenue by providing filtering service. Different from traditional ingress filtering, which drops any detected spoofing packet, an f -provider only filters the spoofing packets for its f -customers (specifically the spoofing packets whose dstIP or srcIP belong to its f -customers) to prevent free riders. A deployer gains more revenue with FaaS than it does on the current Internet. On the current Internet, an AS deploying ingress filtering benefits all the ASes on the Internet, but it can only receive rewards from its customer ASes (e.g. the customers may prefer or even pay more for securer service). With FaaS, the deployer can
[1] Jun Li,et al. On the state of IP spoofing defense , 2009, TOIT.
[2] Xin Liu,et al. Passport: Secure and Adoptable Source Authentication , 2008, NSDI.
[3] Robert Beverly,et al. Understanding the efficacy of deployed internet source address validation filtering , 2009, IMC '09.