A NOVEL SCHEME FOR DETECTING AND PREVENTING SPOOFED IP ACCESS ON NETWORK USING IP2HP FILTER

Denial of Service (DoS) attacks presents a serious problem for internet communications. It simply floods the link of the victim server with a large amount of packets leading to a high rate of packet drops for legitimate users. In general, DoS attacks are not exposed but the threat is common. The problem is aggravated when the attackers spoof their IP addresses. Defense against IP spoofing is a dominant and many approaches that could diminished the spoofing problem. Since the destination based forwarding paradigm of the Internet Protocol, IP address spoofing is both simple and very effective in evading both prevention and detection. The straightforward method of installing simple filters without proper validation at border routers is rendered inefficient by IP spoofing. The attacker can choose randomly an IP address as the source for different packets and thus make the detection method infeasible. Therefore, detecting and preventing packets with spoofed source address has been actively pursued in the research community. Many existing solutions to this problem are IP trace back, packet marking, authentication methods etc. Among these, this paper proposes a solution based on request verification cum filtering technique near the victim server. An experimental result shows that the proposed method eliminates most of the spoofed packets with moderate memory and time consumption.

[1]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[2]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[3]  Kang G. Shin,et al.  Defense Against Spoofed IP Traffic Using Hop-Count Filtering , 2007, IEEE/ACM Transactions on Networking.

[4]  Srinivas Aluru,et al.  Scalable, memory efficient, high-speed IP lookup algorithms , 2005, IEEE/ACM Transactions on Networking.

[5]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[6]  Abdulmotaleb El-Saddik,et al.  Detecting and Preventing IP-spoofed Distributed DoS Attacks , 2008, Int. J. Netw. Secur..

[7]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[8]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM 2001.

[9]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[10]  Jun Li,et al.  SAVE: source address validity enforcement protocol , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[11]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[12]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[13]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[14]  Jun Xu,et al.  IP Traceback-Based Intelligent Packet Filtering: A Novel Technique for Defending against Internet DDoS Attacks , 2003, IEEE Trans. Parallel Distributed Syst..

[15]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[16]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[17]  J. M. Pullen,et al.  Countering denial-of-service attacks using congestion triggered packet sampling and filtering , 2001, Proceedings Tenth International Conference on Computer Communications and Networks (Cat. No.01EX495).

[18]  Craig Partridge,et al.  Hash-based IP traceback , 2001, SIGCOMM.