BasepaperControlling IP Spoofing through Interdomain Packet Filters
Upcoming SlideShare
Loading in...5
×
 

BasepaperControlling IP Spoofing through Interdomain Packet Filters

on

  • 1,080 views

 

Statistics

Views

Total Views
1,080
Views on SlideShare
1,080
Embed Views
0

Actions

Likes
1
Downloads
29
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    BasepaperControlling IP Spoofing through Interdomain Packet Filters BasepaperControlling IP Spoofing through Interdomain Packet Filters Document Transcript

    • 22 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 1, JANUARY-MARCH 2008 Controlling IP Spoofing through Interdomain Packet FiltersZhenhai Duan, Member, IEEE, Xin Yuan, Member, IEEE, and Jaideep Chandrashekar, Member, IEEE Abstract—The Distributed Denial-of-Service (DDoS) attack is a serious threat to the legitimate use of the Internet. Prevention mechanisms are thwarted by the ability of attackers to forge or spoof the source addresses in IP packets. By employing IP spoofing, attackers can evade detection and put a substantial burden on the destination network for policing attack packets. In this paper, we propose an interdomain packet filter (IDPF) architecture that can mitigate the level of IP spoofing on the Internet. A key feature of our scheme is that it does not require global routing information. IDPFs are constructed from the information implicit in Border Gateway Protocol (BGP) route updates and are deployed in network border routers. We establish the conditions under which the IDPF framework correctly works in that it does not discard packets with valid source addresses. Based on extensive simulation studies, we show that, even with partial deployment on the Internet, IDPFs can proactively limit the spoofing capability of attackers. In addition, they can help localize the origin of an attack packet to a small number of candidate networks. Index Terms—IP spoofing, DDoS, BGP, network-level security and protection, routing protocols. Ç1 INTRODUCTIOND ISTRIBUTED Denial-of-Service (DDoS) attacks pose an increasingly grave threat to the Internet, as evident inrecent DDoS attacks mounted on both popular Internet sites legitimate traffic harder: packets with spoofed source addresses may appear to be from all around the Internet. Second, it presents the attacker with an easy way to insert aand the Internet infrastructure [1]. Alarmingly, DDoS level of indirection. As a consequence, substantial effort isattacks are observed on a daily basis on most of the large required to localize the source of the attack traffic [7]. Finally,backbone networks [2]. One of the factors that complicate many popular attacks such as man-in-the-middle attacks [8],the mechanisms for policing such attacks is IP spoofing, [9], reflector-based attacks [10], and TCP SYN flood attackswhich is the act of forging the source addresses in IP [11] use IP spoofing and require the ability to forge sourcepackets. By masquerading as a different host, an attacker addresses.can hide its true identity and location, rendering source- Although attackers can insert arbitrary source addressesbased packet filtering less effective. It has been shown that a into IP packets, they cannot control the actual paths that thelarge part of the Internet is vulnerable to IP spoofing [3]. packets take to the destination. Based on this observation, Recently, attackers have increasingly been staging Park and Lee [12] proposed the route-based packet filters as aattacks via botnets [4]. In this case, since the attacks are way of mitigating IP spoofing. The idea is that by assumingcarried out through intermediaries, that is, the compro- single-path routing, there is exactly one single path pðs; dÞmised “bots,” attackers may not utilize the technique of IP between the source node s and the destination node d. Hence,spoofing to hide their true identities. It is tempting to any packet with the source address s and the destinationbelieve that the use of IP spoofing is less of a factor. address d that appear in a router that is not in pðs; dÞ should beHowever, recent studies [1], [5], [6] show that IP spoofing is discarded. The challenge is that constructing such a route-still a common phenomenon: it is used in many attacks, based packet filter requires the knowledge of global routingincluding the high-profile DDoS attacks on root DNS information, which is hard to reconcile in the current Internetservers in early February 2006 [1]. In response to this event, routing infrastructure [13].the ICANN Security and Stability Advisory Committee The Internet consists of thousands of network domains ormade three recommendations [1]. The first and long-term autonomous systems (ASs). Each AS communicates with itsrecommendation is to adopt source IP address verification, neighbors by using the Border Gateway Protocol (BGP),which confirms the importance of the IP spoofing problem. which is the de facto interdomain routing protocol, to IP spoofing will remain popular for a number of reasons. exchange information about its own networks and othersFirst, IP spoofing makes isolating attack traffic from that it can reach [13]. BGP is a policy-based routing protocol in that both the selection and the propagation of the best route to a destination at an AS are guided by some locally defined. Z. Duan and X. Yuan are with the Department of Computer Science, Florida State University, Tallahassee, FL 32306. routing policies. Given the insular nature of how policies are E-mail: {duan, xyuan}@cs.fsu.edu. applied at individual ASs, it is impossible for an AS to acquire. J. Chandrashekar is with Intel Research/CTL, 2200 Mission College Blvd., the complete knowledge of routing decisions made by all MS RNB6-61, Santa Clara, CA 95054. other ASs. Hence, constructing route-based packet filters, as E-mail: jaideep.chandrashekar@intel.com. proposed in [12], is an open challenge in the current InternetManuscript received 7 June 2006; revised 5 Feb. 2007; accepted 10 July 2007; routing regime.published online 1 Aug. 2007.For information on obtaining reprints of this article, please send e-mail to: Inspired by the route-based packet filters [12], we proposetdsc@computer.org, and reference IEEECS Log Number TDSC-0071-0606. an interdomain packet filter (IDPF) architecture, a route-Digital Object Identifier no. 10.1109/TDSC.2007.70224. based packet filter system that can be constructed solely 1545-5971/08/$25.00 ß 2008 IEEE Published by the IEEE Computer Society
    • DUAN ET AL.: CONTROLLING IP SPOOFING THROUGH INTERDOMAIN PACKET FILTERS 23based on the locally exchanged BGP updates, assuming that filters by using the prefix and path information. Bremler-Barrall ASs employ a set of routing policies that are commonly and Levy proposed a spoofing prevention method (SPM) [23],used today [14], [15], [16]. The key contributions of this paper where packets that were exchanged between members of theare given as follows: First, we describe how we can practically SPM scheme carry an authentication key that is associatedconstruct IDPFs at an AS by only using the information in the with the source and destination AS domains. Packets arrivinglocally exchanged BGP updates. Second, we establish the at a destination domain with an invalid authentication keyconditions under which the proposed IDPF framework (with respect to the source domain) are spoofed packets andworks correctly in that it does not discard packets with valid are discarded. In the Packet Passport System [24], a packetsource addresses. Third, to evaluate the effectiveness of the that originated in a participating domain carries a passportproposed architecture, we conduct extensive simulation that is computed based on secret keys shared by the sourcestudies based on AS topologies and AS paths extracted from domain and the transit domains from the source to thereal BGP data. The results show that, even with partial destination. Packets carrying an invalid passport are dis-deployment, the architecture can proactively limit an attack- carded by the transit domains.er’s ability to spoof packets. When a spoofed packet cannot be In the Network Ingress Filtering proposal described instopped, IDPFs can help localize the attacker to a small [25], traffic originating in a network is forwarded only if thenumber of candidate ASs, which can significantly improve source IP in the packets belongs to the network. Ingressthe IP traceback situation [7]. In addition, IDPF-enabled ASs filtering primarily prevents a specific network from being(and their customers) provide better protection against used for attacking others. Thus, although there is a collectiveIP spoofing attacks than the ones that do not support social benefit when everyone deploys it, individuals do notIDPFs. This should give network administrators incentives receive direct incentives. Finally, the Bogon Route Serverto deploy IDPFs. Project [26] maintains a list of bogon network prefixes that are The rest of this paper is organized as follows: We discuss not routable on the public Internet. Examples include privaterelated work in Section 2. We provide an abstract model of RFC 1918 address blocks and unassigned address prefixes.BGP in Section 3. Section 4 presents the IDPF architecture. Packets with source addresses in the bogon list are filteredSection 5 discusses practical deployment issues. We report out. However, this mechanism cannot filter out attack packetsour simulation study of IDPFs in Section 6. We conclude carrying routable but spoofed source addresses.this paper in Section 7. 3 BORDER GATEWAY PROTOCOL AND2 RELATED WORK AS INTERCONNECTIONSThe idea of IDPF is motivated by the work carried out by Park In this section, we briefly describe a few key aspects of BGPand Lee [12], who evaluated the relationship between that are relevant to this paper (see [27] for a comprehensivenetwork topology and the effectiveness of route-based packet description). We model the AS graph of the Internet as anfiltering. They showed that packet filters constructed based undirected graph G ¼ ðV ; EÞ. Each node v 2 V correspondson the global routing information can significantly limit IP to an AS, and each edge eðu; vÞ 2 E represents a BGPspoofing when deployed in just a small number of ASs. In this session between two neighboring ASs u, v 2 V . To ease thework, we extend the idea and demonstrate that filters that are exposition, we assume that there is at most one edgebuilt based on local BGP updates can also be effective. between a pair of neighboring ASs. Unicast reverse path forwarding (uRPF) [17] requires that Each node owns one or multiple network prefixes. Nodesa packet is forwarded only when the interface that the packet exchange BGP route updates, which may be announcementsarrives on is exactly the same used by the router to reach the or withdrawals, to learn of changes in reachability tosource IP of the packet. If the interface does not match, the destination network prefixes. A route announcement con-packet is dropped. Although this is simple, the scheme is tains a list of route attributes associated with the destinationlimited, given that Internet routing is inherently asymmetric; network prefix. Of particular interest to us are the path vectorthat is, the forward and reverse paths between a pair of hosts attribute as_path, which is the sequence of ASs that thisare often quite different. The uRPF loose mode [18] over- route has been propagated over, and the local_prefcomes this limitation by removing the match requirement on attribute that describes the degree of local preference associatedthe specific incoming interface for the source IP address. A with the route. We will use r.as_path, r.local_pref,packet is forwarded, as long as the source IP address is in the and r.prefix to denote the as_path, the local_pref,forwarding table. However, the loose mode is less effective in and the destination network prefix of r, respectively. Letdetecting spoofed packets. In Hop-Count Filtering (HCF)[19], each end system maintains a mapping between IP r:as path ¼ hvk vkÀ1 . . . v1 v0 i. The route was originated (firstaddress aggregates and valid hop counts from the origin to announced) by node v0 , which owns the network prefixthe end system. Packets that arrive with a different hop count r.prefix. Before arriving at node vk , the route was carriedare suspicious and are therefore discarded or marked for over nodes v1 ; v2 ; . . . ; vkÀ1 in that order. For i ¼ k, k À 1; . . . ; 1,further processing. In Path Identification [20], each packet we say that edge eðvi ; viÀ1 Þ is on the AS path, that is,along a path is marked by a unique Path Identifier (Pi) of the eðvi ; viÀ1 Þ 2 r:as path.path. Victim nodes can filter packets based on the Pi carried in When there is no confusion, route r and its AS paththe packet header. StackPi [21] improved the incremental r:as path are interchangeably used. For convenience, wedeployment property of Pi by proposing two new packet also consider a specific destination AS d. All routemarking schemes. In [22], Li et al. described SAVE, which is a announcements and withdrawals are specific to the net-new protocol for networks to propagate valid network work prefixes owned by d. For simplicity, notation d is alsoprefixes along the same paths that data packets will follow. used to denote the network prefixes owned by the AS d. AsRouters along the paths can thus construct the appropriate a consequence, a route r that can be used to reach the
    • 24 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 1, JANUARY-MARCH 2008 TABLE 1 TABLE 2 Import Routing Policies at an AS Export Routing Policies at an ASnetwork prefixes owned by destination d may simply beexpressed as a route to reach destination d.3.1 Policies and Route SelectionEach node only selects and propagates to neighbors a single common when the provider is much larger in sizebest route to the destination, if any. Both the selection and the than the customer.propagation of best routes are governed by locally defined . Peer to peer. In a mutual peering agreement, the ASsrouting policies. Two distinct sets of routing policies are decide to carry traffic from each other (and theirtypically employed by a node: import policies and export customers). Mutual peers do not carry transit trafficpolicies. Neighbor-specific import policies are applied upon for each other.routes learned from neighbors, whereas neighbor-specific . Sibling to sibling. In this arrangement, two ASs provideexport policies are imposed on locally selected best routes mutual transit service to each other. Each sibling ASbefore they are propagated to the neighbors. can be regarded as the provider of the other AS. In general, import policies can affect the “desirability” of An AS’s relationship with a neighbor largely determinesroutes by modifying route attributes. Let r be a route (to the neighbor-specific import and export routing policies. Indestination d) received at v from node u. We denote by this paper, we assume that each AS sets its import routingimportðv uÞ½frgŠ the possibly modified route that has policies and export routing policies according to the rulesbeen transformed by the import policies. The transformed specified in Tables 1 [15] and 2 [14], [16], respectively. Theseroutes are stored in v’s routing table. The set of all such rules are commonly used by ASs on the current Internet. Inroutes is denoted as candidateRðv; dÞ: Table 1, r1 and r2 denote the routes (to destination d) received by node v from neighbors u1 and u2 , respectively. candidateRðv; dÞ ¼ fr : importðv uÞ½frgŠ 6¼ fg customerðvÞ, peerðvÞ, providerðvÞ, and siblingðvÞ denote the ð1Þ r:prefix ¼ d; 8u 2 NðvÞg: set of customers, peers, providers, and siblings of node v, respectively. The import routing policies in Table 1 stateHere, NðvÞ is the set of v’s neighbors. that an AS will prefer the routes learned from customers or Among the set of candidate routes candidateRðv; dÞ, node siblings over the routes learned from peers or providers.v selects a single best route to reach the destination based on a In Table 2, the columns marked with r1-r4 specify thewell-defined procedure (see [27]). To aid in description, we export policies employed by an AS to announce routes toshall denote the outcome of the selection procedure at node v, providers, customers, peers, and siblings, respectively. Forthat is, the best route, as bestRðv; dÞ, which reads the best route instance, export rule r1 instructs that an AS will announceto destination d at node v. Having selected bestRðv; dÞ from routes to its own networks, and routes learned fromcandidateRðv; dÞ, v then exports the route to its neighbors customers and siblings to a provider, but it will notafter applying neighbor-specific export policies. The export announce routes learned from other providers and peerspolicies determine if a route should be forwarded to the to the provider. The net effect of these rules is that they limitneighbor, and if so, they modify the route attributes according the possible paths between each pair of ASs. Combinedto the policies (see Section 3.2). We denote by exportðv ! together, the import and export policies also ensure theuÞ½frgŠ the route sent to neighbor u by node v after node v propagation of valid routes on the Internet. For example,applies the export policies on route r. combining the import and export policies, we can guarantee BGP is an incremental protocol: updates are generated that a provider will propagate a route to a customer to otheronly in response to network events. In the absence of any ASs (customers, providers, peers, and siblings). If an ASevent, no route updates are triggered or exchanged between does not follow the import policies, for example, it mayneighbors, and we say that the routing system is in a stable prefer an indirect route via a peer instead of a direct route tostate. Formally, a customer. In this case, based on export rule r3, the AS willDefinition 1 (stable routing state). A routing system is in a not propagate the route (via a peer) to a customer to a peer, stable state if all the nodes have selected a best route to reach other since the best route (to the customer) is learned from a peer. nodes and no route updates are generated (or propagated). This property is critical to the construction and correctness of IDPFs (see Sections 4.2 and 4.3). The routing policies in3.2 AS Relationships and Routing Policies Tables 1 and 2 are incomplete. In some cases, ASs mayThe specific routing policies that an AS internally employs apply less restrictive policies. For the moment, we assumeis largely determined by economics: connections between that all ASs follow the import and export routing policiesASs follow a few commercial relations. A pair of ASs can specified in Tables 1 and 2 and that each AS acceptsenter into one of the following arrangements [14], [16]: legitimate routes exported by neighbors. More general cases will be discussed at the end of the next section. . Provider to customer. In this arrangement, a customer If AS b is a provider of AS a and AS c is a provider of AS b, AS pays the provider AS to carry its traffic. It is most then we call c an indirect provider of a, and a an indirect
    • DUAN ET AL.: CONTROLLING IP SPOOFING THROUGH INTERDOMAIN PACKET FILTERS 25customer of c. Indirect siblings are defined in a similar Clearly, the route-based packet filtering is correct, becausefashion. The import and export routing policies in Tables 1 valid packets from source s to destination d will only traverseand 2 imply that an AS will distribute the routes to direct or the edges on bestRðs; dÞ. Computing route-based packetindirect customers/siblings to its peers and providers. If filters requires the knowledge of bestRðs; dÞ on every node,eðu; vÞ 2 bestRðs; dÞ:as path, we say that u is the best which is impossible in BGP. IDPF overcomes this problem.upstream neighbor of node v for traffic from node s todestination d, and we denote u as u ¼ bestUðs; d; vÞ. For ease 4.1 IDPF Overviewof exposition, we augment the AS graph with the relation- The following concepts will be used in this section. Aships between neighboring ASs. We refer to an edge from a topological route between nodes s and d is a loop-free pathprovider to a customer AS as a provider-to-customer edge, an between the two nodes. Topological routes are implied by theedge from a customer to provider as a customer-to-provider network connectivity. A topological route is a feasible routeedge, and an edge connecting sibling (peering) ASs as sibling- under BGP if and only if the construction of the route does notto-sibling (peer-to-peer) edge. A downhill path is a sequence of violate the routing policies imposed by the commercialedges that are either provider-to-customer or sibling-to- relationship between ASs (Tables 1 and 2). Formally, letsibling edges, and an uphill path is a sequence of edges that are feasibleRðs; dÞ denote the set of feasible routes from s to d.either customer-to-provider or sibling-to-sibling edges. Gao Then, feasibleRðs; dÞ can recursively be defined as follows:[14] established the following about the candidate routes in aBGP routing table: feasibleRðs; dÞ ¼Theorem 1 (see [14]). If all ASs set their export policies fhs È [ feasibleRðu; dÞig; according to r1-r4, a candidate route in a BGP routing table u: can be any of the following: importðs uÞ½frgŠ 6¼ fg; 1. an uphill path, r:prefix ¼ d; u 2 NðsÞ 2. a downhill path, where È is the concatenation operation, for example, fs È 3. an uphill path followed by a downhill path, fhabi; huvigg ¼ fhsabi; hsuvig. Notice that feasibleRðs; dÞ 4. an uphill path followed by a peer-to-peer edge, contains all the routes between the pair that does not 5. a peer-to-peer edge followed by a downhill path, or violate the import and export routing policies specified in 6. an uphill path followed by a peer-to-peer edge, which is Tables 1 and 2. Obviously, bestRðs; dÞ 2 candidateRðs; dÞ  followed by a downhill path. feasibleRðs; dÞ. Each of the feasible routes can potentially be a candidate route in a BGP routing table. Theorem 1 also applies to feasible routes.4 INTERDOMAIN PACKET FILTERS Definition 4 (feasible upstream neighbor). Consider aIn this section, we discuss the intuition behind the IDPF feasible route r 2 feasibleRðs; dÞ. If an edge eðu; vÞ is onarchitecture, describe how IDPFs are constructed using BGP the feasible route, that is, eðu; vÞ 2 r:as path, we say thatroute updates, and establish the correctness of IDPFs. After node u is a feasible upstream neighbor of node v for packetthat, we discuss the case where ASs have routing policies Mðs; dÞ. The set of all such feasible upstream neighbors of vthat are less restrictive than the ones in Tables 1 and 2. We (for Mðs; dÞ) is denoted as feasibleUðs; d; vÞ.shall assume that the routing system is in the stable routing The intuition behind the IDPF framework is the following:state in this section. We will discuss how IDPFs fare with First, it is possible for a node v to infer its feasible upstreamnetwork routing dynamics in the next section. neighbors by using BGP route updates. The technique Let Mðs; dÞ denote a packet whose source address is s (or for inferring feasible upstream neighbors is described inmore generally, the address belongs to AS s) and whose the next section. Since bestRðs; dÞ 2 candidateRðs; dÞ destination address is d. A packet filtering scheme decides feasibleRðs; dÞ, a node can only allow Mðs; dÞ from itswhether a packet should be forwarded or dropped based on feasible upstream neighbors to pass and discard all othercertain criteria. One example is the route-based packet packets. Such a filtering will not discard packets with validfiltering [12]: source addresses. Second, although network connectivityDefinition 2 (route-based packet filtering). Node v accepts (topology) may imply a large number of topological routes packet Mðs; dÞ that is forwarded from node u if and only if between a source and a destination, the commercial relation- eðu; vÞ 2 bestRðs; dÞ. Otherwise, the source address of the ship between ASs and routing policies employed by ASs act packet is spoofed, and the packet is discarded by v. to restrict the size of feasibleRðs; dÞ. Consider the example in Fig. 1. Figs. 2a and 2b present the topological routes implied In the context of preventing IP spoofing, an ideal packet by the network connectivity and feasible routes constrainedfilter should discard spoofed packets while allowing legit- by routing policies between source s and destination d,imate packets to reach the destinations. Since, even with the respectively. In Fig. 2b, we assume that nodes a, b, c, and dperfect routing information, the route-based packet filters have mutual peering relationship, and that a and b arecannot identify all spoofed packets [12], a valid packet filter providers to s. We see that although there are 10 topologicalshould focus on not dropping any legitimate packets while routes between source s and destination d, we only have twoproviding the ability to limit spoofed packets. Accordingly, feasible routes that are supported by routing policies. Of morewe define the correctness of a packet filter as follows: importance to IDPF is that although the network topologyDefinition 3 (correctness of packet filtering). A packet filter may imply that all neighbors can forward a packet allegedly is correct if it does not discard packets with valid source from a source to a node, feasible routes constrained by routing addresses when the routing system is stable. policies help limit the set of such neighbors. As an example,
    • 26 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 1, JANUARY-MARCH 2008Fig. 1. An example network topology.let us consider the situation at node d. Given that only nodes a Fig. 2. Routes between source s and destination d. (a) Topologicaland b (but not c) are on the feasible routes from s to d, node d routes implied by connectivity. (b) Feasible routes constrained by routingcan infer that all packets forwarded by node c and allegedly policies.from source s are spoofed and should be discarded. It is clear that IDPF is less powerful than route-based Based on Lemma 1, a node can identify the feasiblepacket filters [12], since the IDPFs are computed based on upstream neighbors for packet Mðs; dÞ and conduct IDPF asfeasibleRðs; dÞ instead of bestRðs; dÞ. However, feasibleU follows:ðs; d; vÞ can be inferred from local BGP updates, whereas Definition 5 (IDPF). Node v will accept packet Mðs; dÞ that isbestUðs; d; vÞ cannot. forwarded by a neighbor node u if and only if exportðu ! vÞ4.2 Constructing IDPFs ½fbestRðu; sÞgŠ ¼ fg. Otherwise, the source address of the 6 packet must have been spoofed, and the packet should beThe following lemma summarizes the technique for discarded by node v.identifying the feasible upstream neighbors of node v forpacket Mðs; dÞ: 4.3 Correctness of IDPFLemma 1. Consider a feasible route r between source s and Theorem 2. An IDPF, as defined in Definition 5, is correct. destination d. Let v 2 r:as path and let u be the feasible Proof. Without loss of generality, consider source s, upstream neighbor of node v along r. When the routing system destination d, and a node v 2 bestRðs; dÞ:as path such is stable, exportðu ! vÞ½fbestRðu; sÞgŠ 6¼ fg, assuming that v deploys an IDPF. To prove the theorem, we need to that all ASs follow the import and export routing policies in establish that v will not discard packet Mðs; dÞ forwarded Tables 1 and 2 and that each AS accepts legitimate routes by the best upstream neighbor u along bestRðs; dÞ. exported by neighbors. S i n c e bestRðs; dÞ 2 candidateRðs; dÞ  feasibleRLemma 1 states that if node u is a feasible upstream ðs; dÞ, u is also a feasible upstream neighbor of node v forneighbor of node v for packet Mðs; dÞ, node u must have packet Mðs; dÞ. From Lemma 1, u must have exported toexported to node v its best route to reach the source s. node v its best route to source s. That is, exportðu ! vÞProof. Since Theorem 1 applies to feasible routes, a feasible ½fbestRðu; sÞgŠ 6¼ fg. From Definition 5, packet Mðs; dÞ, route can be one of the six types of paths in Theorem 1. In which is forwarded by node u, will not be discarded by v.t u the following, we assume that the feasible route r is of Notice that the destination address d in a packet Mðs; dÞ type 6, that is, an uphill path followed by a peer-to-peer does not play a role in an IDPF node’s filtering decision edge, which is followed by a downhill path. Cases where (Definition 5). By constructing filtering tables based on the r is of types 1-5 can similarly be proved. To prove the source address alone (rather than both source and destina- lemma, we consider the possible positions of nodes u tion addresses), the per-neighbor space complexity for an and v in the feasible route: IDPF node is reduced from OðN 2 Þ to OðNÞ, where N ¼ jV j Case 1. Nodes u and v belong to the uphill path. Then, is the number of nodes in the graph (the route-based node s must be an (indirect) customer or sibling of node scheme can achieve the same complexity bound [12]). u. From the import routing policies in Table 1 and the It is worth noting that IDPFs filter packets based on export routing policy r1 and the definition of indirect whether the reachability information of a network prefix is customers/siblings, we know that u will propagate to propagated by a neighbor and not on how the BGP updates (provider) node v the reachability information of s. are propagated. As long as ASs propagate network reach- Case 2. eðu; vÞ is the peer-to-peer edge. This case can ability information according to the rules in Tables 1 and 2, similarly be proved as case 1 (based on the import routing IDPFs work correctly. Moreover, the effectiveness of IDPFs is policies in Table 1 and the export routing policy r3). determined largely by the size of feasibleRðs; dÞ, which is a Case 3. Nodes u and v belong to the downhill path. function of the (relatively static) AS relationships. Hence, Let eðx; yÞ be the peer-to-peer edge along the feasible how the BGP updates are propagated does not affect both the route r and note that u is an (indirect) customer of y. correctness and the performance of IDPFs. For example, the From the proof of case 2, we know that node y learns the multiple-path advertisement supported by MIRO [28] will reachability information of s from x. From the export not affect IDPFs’ correctness and effectiveness. routing policy r2 and the definition of indirect custo- mers, node y will propagate the reachability information 4.4 Routing Policy Complications of s to node u, which will further export the reachability As discussed earlier, the import routing policies and the information of s to (customer) node v. u t export routing policies specified in Tables 1 and 2 are not
    • DUAN ET AL.: CONTROLLING IP SPOOFING THROUGH INTERDOMAIN PACKET FILTERS 27Fig. 3. Automatic backup route. Fig. 4. Conditional route advertisement.complete. In particular, multihomed ASs may employ lessrestrictive routing policies for traffic engineering or otherpurposes [29]. In this section, we first present two traffic the correctness of IDPFs, as defined in Definition 5, on theengineering examples that do not follow the import and Internet. The proof is similar to that of Lemma 1 andexport routing policies specified in Tables 1 and 2. Then, we Theorem 2, and we omit it here.discuss how ASs that employ these special traffic engineer-ing practices should control the forwarding of their traffic to 5 PRACTICAL DEPLOYMENT ISSUES OF IDPFSensure the delivery of their traffic in the IDPF framework. In the first example (see Fig. 3), based on [27], ASs a and 5.1 Incremental Deploymentb are providers of AS s, and s has two prefixes 138.39/16 IDPFs can independently be deployed in each AS. IDPFs areand 204.70/16. The link between a and s is used as the deployed at the border routers so that IP packets can beprimary and backup links for 138.39/16 and 204.70/16, inspected before they enter the network. By deployingrespectively, whereas the link between b and s is used in a IDPFs, an AS constrains the set of packets that a neighborreverse manner. To achieve this traffic engineering goal, s can forward to the AS: a neighbor can only successfullyinforms a to assign the direct customer route r1 between a forward a packet Mðs; dÞ to the AS after it announces theand s a lower local preference over the peering route r2 reachability information of s. All other packets arelearned from b to reach the network prefix 204.70/16. identified to carry spoofed source addresses and areThat is, r1 :local pref < r2 :local pref. This local prefer- discarded at the border router of the AS. In the worst case,ence assignment at node a does not follow the import even if only a single AS deploys IDPF and spoofed IProuting policies defined in Table 1, which requires that an packets can get routed all the way to the AS in question,AS should prefer a direct route over an indirect route using an IDPF perimeter makes it likely that spoofed(through a peer) to reach a customer. packets will be identified and, hence, blocked at the Now, consider the example in Fig. 4. Customer s has a perimeter. Clearly, if the AS is well connected, launchingprimary provider a and a backup provider b. AS s realizes this a DDoS attack upon the perimeter itself takes a lot moregoal by using a technique called conditional route advertise- effort than targeting individual hosts and services withinment. Prefix 138.39/16 is announced to the backup the AS. In contrast, ASs that do not deploy IDPF offerprovider b only if the link to the primary provider a fails. relatively little protection to the internal hosts and services.This asymmetric advertisement does not follow the export Therefore, an AS has direct benefits of deploying IDPFs. Inrouting policy r1 defined in Table 2, which states that a general, by deploying IDPFs, an AS can also protect othercustomer will always export to its providers the routes to its ASs to which the AS transports traffic, in particular theown prefixes. customer ASs. It can similarly be understood that an IDPF In the examples, the customer s controls the route node limits the set of packets forwarded by a neighbor andpropagation either by manipulating the local preference of destined for a customer of the AS.the routes in providers (see Fig. 3) or by conditional route 5.2 Handling Routing Dynamicsadvertisement (see Fig. 4). As long as the customer AS doesnot forward packets through the backup route while the So far, we have assumed that the AS graph is a staticprimary route is still available, the IDPF architecture will structure. In reality, the graph changes, triggering thenot discard any valid packets. This requirement is not hard generation of BGP updates and altering the paths that ASsto meet, since the customer controls both the route use in reaching each other. In this section, we examine howpropagation and traffic delivery. The same observation routing dynamics affects the operation of IDPFs. Weapplies to other cases when the routing policies specified in consider two different types of routing dynamics: 1) thoseTables 1 and 2 are not followed. We have the following caused by network failures and 2) those caused by therestricted traffic forwarding policy for the ASs that do not creation of a new network (or recovery from a fail-downfollow the routing policies specified in Tables 1 and 2. network event). Routing dynamics caused by routing policy Restricted traffic forwarding policy. If an AS does not changes can similarly be addressed, and we omit them here.follow the import and export routing policies in Tables 1 IDPFs are completely oblivious to the specifics of theand 2, as long as the primary route is available, the AS announced routes. Following a network failure, the set ofshould not forward traffic along other (backup) routes. feasible upstream neighbors will not admit more members If each AS on the Internet follows the import routing during the period of routing convergence, assuming that ASpolicies in Table 1 and the export routing policies in Table 2 relationships are static, which is true in most cases. Hence, foror the restricted traffic forwarding policy, we can establish the first type of routing dynamics (network failure), there is
    • 28 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 1, JANUARY-MARCH 2008no possibility that the filters will block a valid packet. We behavior. Due to this property, IDPF is most effective whenillustrate this as follows: Consider an IDPF-enabled AS v that different ASs own nonoverlapping prefixes. For example, let sis on the best route from s to d. Let u ¼ bestUðs; d; vÞ and be 1.2/16. Then, all ASs along the path from s to d can spoofU ¼ feasibleUðs; d; vÞ. A link or router failure between u and this prefix. Now, if there is a more specific address s0 ¼s can have three outcomes: 1) AS u can still reach AS s, and u is 1:2:3=24 somewhere in the network, all these ASs can now alsostill chosen to be the best upstream neighbor for packet spoof s0 , since a more specific prefix also matches a moreMðs; dÞ, that is, u ¼ bestUðs; d; vÞ. In this situation, although general prefix. This situation does not happen when prefixesu may explore and announce multiple routes to v during the are not overlapped. Hence, statistically, IDPF is more effectivepath exploration process [30], the filtering function of v is when prefixes are not overlapped. However, due to the ubiquitous use of classless addressing, that is, CIDR [31], theunaffected. 2) AS u is no longer the best upstream neighbor for prefixes owned by different ASs may overlap. The effect ofpacket Mðs; dÞ, and another feasible upstream neighbor u0 2 overlapping prefixes will be studied in the next section.U can reach AS s and is instead chosen to be the new bestupstream neighbor (for Mðs; dÞ). Now, both u and u0 mayexplore multiple routes; however, since u0 has already 6 PERFORMANCE STUDIESannounced a route (about s) to v, the IDPF at v can correctly In this section, we first discuss the objectives of ourfilter (that is, accept) packet Mðs; dÞ, which is forwarded from performance studies and the corresponding performanceu0 . 3) No feasible upstream neighbors can reach s. Conse- metrics. We then describe the data sets and specific settingsquently, AS v will also not be able to reach s, and v will no used in the simulation studies. Finally, detailed resultslonger be on the best route between s and d. No new packet obtained from simulations are presented.Mðs; dÞ should be sent through v. The other concern of routing dynamics relates to how a 6.1 Objectives and Metricsnewly connected network (or a network recovered from a We evaluate the effectiveness of IDPFs in controlling IPfail-down event) will be affected. In general, a network may spoofing-based DDoS attacks from two complementarystart sending data immediately following the announcement perspectives [12]. First, we wish to understand how effectiveof a (new) prefix, even before the route has had time to the IDPFs are in proactively limiting the capability of anpropagate to the rest of the Internet. During the time that the attacker to spoof addresses of ASs other than its own. IDPFsroute should be propagated, packets from this prefix may be do not provide complete protection, and spoofed packetsdiscarded by some IDPFs if the reachability information has may still be transmitted. Thus, the complementary reactivenot propagated to them. However, the mitigating factor here view is also important. We study how the deployed IDPFsis that in contrast to the long convergence delay that follows can improve IP traceback effectiveness by localizing thefailure, reachability for the new prefix will be distributed far actual source of spoofed packets. Since the (incremental)more speedily. In general, the time taken for such new prefix deployment of IDPFs directly affects the effectiveness,information to reach an IDPF is proportional to the shortest various deployment scenarios are considered. The lastAS path between the IDPF and the originator of the prefix and dimension of our simulation studies concerns the issue ofindependent of the number of alternate paths between the incentive, that is, how an individual AS will benefit from deploying IDPF on its routers.two. Previous work has established this bound to be OðLÞ, We use the performance metrics introduced in [12] in ourwith L being the diameter of the AS graph [30]. We believe study. Given any pair of ASs, say, a and t, Sa;t is the set of ASsthat in this short timescale, it is acceptable for IDPFs to from which an attacker in AS a can forge addresses to attack t.potentially incorrectly behave (discarding valid packets). It For any pair of ASs, s and t, Cs;t is the set of ASs from whichmust be noted that during BGP route convergence periods, attackers can attack t by using addresses that belong to s,without IDPF, BGP can also drop packets. One alternative without such packets being filtered before they reach t.solution is to allow a neighbor to continue forwarding packets To establish a contrast, consider that Sa;t quantifies thefrom a source within a grace period, after the corresponding pool of IP addresses that may be forged by an attacker in a tonetwork prefix has been withdrawn by the neighbor. In this send packets to t without being stopped. On the other hand,case, during this short period, IDPFs may fail to discard Cs;t is defined from the victim’s perspective. This quantifiesspoofed attack packets. However, given that most DDoS the size of the set of ASs that can forge an address belongingattacks require a persistent train of packets to be directed at a to s in sending packets to t without being discarded alongvictim, not discarding spoofed packets for this short period of the way. Thus, the latter is a measure of the effort required attime should be acceptable. We plan to further investigate the AS t to trace the packets to the actual source (there are jCs;t jrelated issues in the future. locations from which the packet could have originated). In short, IDPFs can handle the routing dynamics causedby network failures, which may cause long route conver- 6.1.1 Proactive Prevention Metricsgence times. IDPFs may, however, drop packets in the Given the AS graph G ¼ ðV ; EÞ, we define the preventionnetwork recovery events. We argue that this is not a big metric from the point of view of the victim as follows:problem, since 1) the network recovery events typicallyhave a short convergence time and 2) such events can also jft : 8a 2 V ; jSa;t j gjcause service disruptions in the original BGP without IDPF. V ictimF ractionðÞ ¼ : jV j5.3 Overlapping Prefixes V ictimF ractionðÞ, which is redefined from [12], denotesIn the IDPF architecture, all ASs along the path from s to d can the proportion of ASs that satisfy the following propertyspoof the source address of s and reach d without being that if an arbitrary attacker intends to generate spoofedfiltered out. The route-based packet filtering has a similar packets, it can successfully use the IP addresses of at most 
    • DUAN ET AL.: CONTROLLING IP SPOOFING THROUGH INTERDOMAIN PACKET FILTERS 29ASs (note that this includes the attacker’s own AS). Thus, TABLE 3V ictimF ractionðÞ represents the effectiveness of IDPFs in Graphs Used in the Performance Studiesprotecting ASs against spoofing-based DDoS attacks, that is,the fraction of ASs that can be attacked by attackers whocan spoof addresses of at most  networks. For instance,V ictimF ractionð1Þ, which should be read as the fraction ofASs that can be attacked with packets from at most one AS,describes the immunity to all spoofing-based attacks. Next, we define a metric from the attacker’s perspective.Given G ¼ ðV ; EÞ, AttackF ractionðÞ, as defined in [12], 6.2 Data Setsdescribes the fraction of ASs from which an attacker can In order to evaluate the effectiveness of IDPFs, we constructforge addresses belonging to at most  ASs (including the four AS graphs from the BGP data archived by the Routeattacker’s own) in attacking any other ASs in the graph: Views Project [33]. The first three graphs, denoted G2003 , G2004 , and G2005 , are constructed from single routing table snapshots jfa : 8t 2 V ; jSa;t j gj (taken from the first day of each of the years). Although these AttackF ractionðÞ ¼ : provide an indication of the evolutionary trends in the growth jV j of the Internet AS graph, they offer only a partial view of the Intuitively, AttackF ractionðÞ is the strength of IDPFs in existing connectivity [14]. In order to obtain a morelimiting the spoofing capability of an arbitrary attacker. For comprehensive picture, similar to [34], we construct G2004cinstance, AttackF ractionð1Þ quantifies the fraction of ASs by combining G2003 and an entire year of BGP updates betweenfrom which an attacker cannot spoof any address other than G2003 and G2004 . Note that the Slammer worm attack [35],its own. which caused great churn of the Internet routing system, occurred during this period of time. This had the side effect of6.1.2 Reactive IP Traceback Metrics exposing more edges and paths than would normally beTo evaluate the effectiveness of IDPFs in reducing the IP visible.1 It is worth pointing out that, even with this effort, thetraceback effort, that is, the act of determining the true origin AS graphs that we constructed still may only represent aof spoofed packets, V ictimT raceF ractionðÞ is defined in partial view of the Internet AS-level topology and may not[12], which is the proportion of ASs being attacked that can capture all the feasible routes between a pair of source andlocalize the true origin of an attack packet to be within  ASs: destination. Thus, we may overestimate the performance of IDPFs, especially for G2003 , G2004 , and G2005 . jft : 8s 2 V ; jCs;t j gj Table 3 summarizes the properties of the four graphs. In V ictimT raceF ractionðÞ ¼ : this table, we enumerate the number of nodes, edges, and jV j AS paths that we could extract from the data sets. We alsoFor instance, V ictimT raceF ractionð1Þ is simply the fraction include the size of the vertex cover (VC) for the graphof ASs, which, when attacked, can correctly identify the corresponding to individual data sets (the construction will(single) source AS from which the spoofed packet was be described later). In Table 3, we see that G2004c has aboutoriginated. 22,000 more edges or a 65.9 percent increase compared to G2004 . In addition, the number of observed AS paths in6.1.3 Incentives to Deploy IDPF G2004c is an order of magnitude more than the observedTo formally study the gains that ASs might accrue paths in the G2004 data.by deploying IDPFs on their border routers, weintroduce a related set of metrics: V ictimF ractionIDP F ðÞ, 6.2.1 Inferring Feasible Upstream NeighborsAttackF ractionIDP F ðÞ, and V ictimT raceF ractionIDP F ðÞ. In order for each AS to determine the feasible upstream neighbors for packets from source to destination, we alsoLet T denote the set of ASs that support IDPFs: augment each graph with the corresponding AS paths used jft 2 T : 8a 2 V ; jSa;t j gj for constructing the graph [33]. We infer the set of feasible V ictimF ractionIDP F ðÞ ¼ ; upstream neighbors for a packet at an AS as follows: In jT j general, if we observe an AS path hvk ; vkÀ1 ; . . . ; v0 i associated jfa 2 V : 8t 2 T ; jSa;t j gj AttackF ractionIDP F ðÞ ¼ ; with prefix P , we take this as an indication that vi announced jV j the route for P to viþ1 , that is, vi 2 feasibleUðP ; viþ1 Þ, jft 2 T : 8s 2 V ; jCs;t j gj i ¼ 0; 1; . . . ; k À 1.V ictimT raceF ractionIDP F ðÞ ¼ : jT j 6.2.2 Determining Routes between Two Nodes Note that these are similar to the metrics defined Given an AS graph G ¼ ðV ; EÞ and a subset of nodes T  Vearlier, that is, V ictimF ractionðÞ, AttackF ractionðÞ, and that deploy the IDPFs, the route that a packet takes fromV ictimT raceF ractionðÞ, respectively. However, we re- source node s to destination node t will determine the IDPFsstrict the destinations to the set of IDPF-enabled ASs that the packet will encounter on the way. Consequently, inrather than the entire population of ASs. order to compute the described performance metrics, we require the Note also that V ictimF ractionðÞ, AttackF ractionðÞ,and V ictimT raceF ractionðÞ correspond to 1 ðÞ, 2 ðÞ, 1. Given the lengthy period over which we applied the updates, it is likely that our AS graph includes “stale edges,” that is, edges that no longerand 1 ðÞ in [32], respectively. We rename them to facilitate exist. We ignore this effect in our study, noting that AS relationships areeasier understanding. quite stable and, thus, the number is likely to be very small.
    • 30 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 1, JANUARY-MARCH 2008exact routes that will be taken between any pairs of nodes. spoofing-based attack on the Internet (assuming thatUnfortunately, there is simply no easy way to accurately get no overlapping prefixes are announced). Moreover,this knowledge. In this paper, as a heuristic, we simply use the with the same configuration, the AS under attack canshortest path on G. When there are multiple candidates, we localize the true origin of an attack packet to be withinarbitrarily select one of them. As a consequence, in addition to 28 ASs, thus greatly reducing the effort of IP traceback.AS paths, we also include the selected shortest path as a In this summary, unless specified otherwise, allfeasible route if it has not been described in the routing example data are based on the VC IDPF coverage onupdates observed. Note that this knowledge, that is, the best the 2004c data set, with the assumptions that IDPFpath from an AS to another, is only required in the simulation nodes are also capable of ingress filtering and thatstudies to determine the IDPFs that a packet may encounter on there are no overlapping prefixes.the way from the source to the destination. It is not required in . The placement of IDPFs plays a key role in thethe construction of the IDPFs. Note also that due to the way that effectiveness of IDPFs in controlling spoofing-basedfeasible neighbors are computed, the effectiveness of IDPFs attacks. It is much more effective in deploying IDPFsmay artificially be inflated, since the set of feasible neighbors on ASs with high connectivity (such as tier-1 ISPs)of a node in our simulations is a subset of feasible neighbors of than deploying IDPFs on random ASs. For example,the node in reality (with the complete Internet topology). deploying IDPFs on 5 percent of ASs selected by the Top method is more effective than deploying IDPFs6.2.3 Selecting IDPF Nodes on 30 percent of ASs selected by the Rnd method inGiven a graph G ¼ ðV ; EÞ, the effectiveness of IDPF heavily all of the three performance metrics.depends on the filter set, that is, nodes in V for supporting . In comparison to constructing filters with preciseIDPF. We consider two methods for selecting IDPF nodes, routing information, constructing filters with BGPwhich represents two ways that IDPFs can incrementally be updates does not significantly degrade the IDPFdeployed. In the first method, denoted as T op, we aggres- performance in limiting spoofed packets. However,sively select the nodes with the highest degree to deploy the IDPF traceback capability is substantially af-IDPF. A special case of this method, denoted as V C, is fected. For example, the number of nodes thatselecting the IDPF nodes until a V C of G is formed. The cannot launch any spoofing-based attacks dropsnumber of nodes for forming the V C for each data set is from 84 percent to 80 percent (a slight decrease),shown in Table 3. In the second method, denoted as Rnd, we whereas the number of ASs that an AS can pinpointrandomly (uniformly) choose the nodes from V until a as the potential true origin of an attack packetdesirable proportion of nodes are chosen. We will use the increases from 7 to 28 (a fairly large increase).notions RndX and T opX to denote the selection of X percent . Overlapping prefixes have a detrimental effect on theof all nodes for deploying IDPFs using the Rnd and T op performance of IDPFs. However, IDPFs still workmethods, respectively. For example, Rnd30 represents reasonably well with overlapping prefixes announcedselecting 30 percent of nodes to be IDPF nodes using the on the Internet. For example, in this case, an attacker inRnd method. Note that ASs with high degrees are normally about 50 percent of the ASs cannot launch anyInternet service providers. In particular, tier-1 service spoofing-based attacks, and for the majority of attackproviders normally have higher degrees than others. There- packets, the AS under attack can pinpoint the truefore, the T op method will likely select tier-1 nodes first. Given origin to be within 79 ASs.that the majority of AS paths traverse tier-1 providers, filters . Network ingress filtering [25] helps improve thedeployed at tier-1 providers (or ASs with higher degrees) are performance of IDPFs. However, even without net-more effective in detecting spoofed traffic. On the other hand, work ingress filtering, IDPF is still effective. Forthe Rnd method may represent a more realistic IDPF example, an attacker still cannot launch any spoof-deployment scenario, where ASs decide whether to deploy ing-based attacks from within more than 60 percent ofIDPF independently. ASs. Moreover, the AS under attack can localize the true origin of an attack packet to be within 87 ASs.6.3 Results of Performance Studies Next, we will present the experimental results. In allThe studies are performed with the Distributed Packet Filtering experiments, except for the ones in Section 6.3.5, we assume(dpf) simulation tool [12]. We extended dpf to support our own that ASs that deploy IDPFs, being security conscious andfilter construction based on BGP updates and to deal with network savvy, also implement network ingress filtering [25].overlapping prefixes. We evaluated the performance of IDPFsby using the three performance metrics (V ictimF ractionðÞ, 6.3.1 IDPFs with BGP Updates and NonoverlappingAttackF ractionðÞ, and V ictimT raceF ractionðÞ) under dif- Prefixesferent situations. In addition, we also studied the impact ofusing BGP updates instead of precise routing information to To begin with, we study the performance of IDPFs withconstruct packet filters, investigated the effect of overlapping BGP updates and nonoverlapping prefixes. Fig. 5 shows theprefixes in the Internet, and considered IDPFs with and results on G2004c with different IDPF node coverages,without network ingress filtering. Before we describe the whereas Fig. 6 shows the results of the IDPF VC coveragesimulation results in detail, we briefly summarize the salient on different data sets.findings: Fig. 5a presents the values of V ictimF ractionðÞ for three different ways of selecting the IDPF node on the G2004c . IDPFs can significantly limit the spoofing capability of graph: V C and random covers (Rnd50 and Rnd30). Note an attacker. For example, with the V C IDPF coverage that V ictimF ractionðÞ indicates the proportion of nodes on the 2004c data set, an attacker in more than that may be attacked by an attacker that can spoof the IP 80 percent of ASs cannot successfully launch any addresses of at most  nodes. As discussed earlier, IDPFs
    • DUAN ET AL.: CONTROLLING IP SPOOFING THROUGH INTERDOMAIN PACKET FILTERS 31Fig. 5. Results for G2004c with different IDPF node coverages. (a) V ictimF ractionðÞ. (b) AttackF ractionðÞ. (c) V ictimT raceF ractionðÞ.Fig. 6. Results for G2003 , G2004 , G2004c , and G2005 with the VC coverage. (a) V ictimF ractionðÞ. (b) AttackF ractionðÞ. (c) V ictimT raceF ractionðÞ.cannot completely protect ASs from spoofing-based attacks. Rnd30 and Rnd50, the ability of nodes to pinpoint the trueHence, we focus on its ability to limit the spoofing capability origin is greatly reduced. In Fig. 6c, we also see that G2003 ,of attackers. Fig. 5a shows that IDPF is effective in G2004 , and G2005 can all pinpoint the true origin of attackcontrolling V ictimF ractionðÞ, especially with the IDPF packets to be within 10 nodes. However, it is important toVC coverage. The figure shows that the placement of IDPFs note that such graphs are less complete representations ofplays a key role in the effectiveness of IDPFs in controlling the Internet topology compared to G2004c . Nonetheless, thespoofing-based attacks. For example, with only 17.8 percent trend in the results for G2003 , G2004 , and G2005 is quite similarof nodes supporting IDPFs, V C outperforms both Rnd30 to that in the results for G2004c . In the rest of this section, weand Rnd50, although they recruit a larger number of nodes will mostly show results for G2004c , since this data set isthat support IDPFs. In general, it is more preferable for more complete than others.nodes with large degrees (such as big ISPs) to deploy IDPFs. Figs. 7 and 8 show the performance as functions of theFig. 6a shows V ictimF ractionðÞ for the graphs from 2003 percentages of IDPF nodes selected with the T op and Rndto 2005 (including G2004c ) with the V C coverage. We see that methods, respectively. As expected, in both cases, theoverall, similar trends hold for all the years examined. effectiveness of IDPF increases as a larger number of nodesHowever, it is worth noting that G2004c performs worse than deploy IDPF. However, these two figures show that the T op method is significantly more effective than the Rnd scheme,G2004 . This is because G2004c contains more edges and more which strongly argues for the deployment of IDPFs in largeAS paths by incorporating one-year BGP updates. ISPs with more connectivity. As shown in the figures, even AttackF ractionðÞ illustrates how effective IDPFs are in with being deployed only on 1 percent of the most connectedlimiting the spoofing capability of attackers. In particular, nodes, IDPFs can significantly limit the spoofing capability ofAttackF ractionð1Þ is the proportion of nodes from which an the attackers and increase the traceback accuracy. Moreover,attacker cannot launch any spoofing-based attacks against the performance of IDPFs with 5 percent of all the nodesany other nodes. Fig. 5b shows that IDPFs are very effective selected by the T op method is never worse than that within this regard. For G2004c , AttackF ractionð1Þ ¼ 80:8 percent, 30 percent of all the nodes selected by the Rnd method in59.2 percent, and 36.2 percent for V C, Rnd50, and Rnd30, terms of all of the three performance metrics. When the IDPFrespectively. Similar trends hold for all the years examined nodes are randomly selected, they can still significantly limit(see Fig. 6b). This indicates that IDPFs are very effective in the spoofing capability (see Fig. 8b).limiting the spoofing capability. Recall that V ictimT raceF ractionðÞ indicates the propor- 6.3.2 Impacts of Precise Routing Informationtion of nodes that, under attack by packets with a source IP In this section, we study the impact of the precise globaladdress, can pinpoint the true origin of the packets to be routing information on the performance of IDPFs. The goal iswithin at most  nodes. Fig. 5c shows that all nodes can to determine the performance difference between IDPFs andlocalize the true origin of an arbitrary attack packet to be the ideal route-based packet filters [12] with precise globalwithin a small number of candidate nodes (28 nodes; see routing information. Notice that in a sense, SAVE [22] is aFig. 6c) for the V C coverage. For the other two, that is, way to realize route-based packet filtering on the Internet. Its
    • 32 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 1, JANUARY-MARCH 2008Fig. 7. The T op method with different percentages of IDPF nodes. (a) V ictimF ractionðÞ. (b) AttackF ractionðÞ. (c) V ictimT raceF ractionðÞ.Fig. 8. The Rnd method with different percentages of IDPF nodes. (a) V ictimF ractionðÞ. (b) AttackF ractionðÞ. (c) V ictimT raceF ractionðÞ.packet filtering performance should be close to route-based the precise routing information, there are still aboutpacket filtering with precise global routing information. As 80 percent of ASs where an attacker cannot launch any suchdiscussed in Section 6.2.2, we use the shortest path on the AS attacks by solely relying on the BGP update information.graph for a given pair of source and destination to However, the traceback ability is more significantly affected.approximate the precise route between the pair. As shown By only relying on the BGP update information, an arbitraryin Fig. 9, the availability of the precise routing information AS can still pinpoint the true origin of an attack packet to bebetween any pair of source and destination only slightly within 28 ASs compared to 7 if precise global routingimproves the AttackF ractionðÞ of IDPFs in comparison to information is available.the case where BGP update information is used. For example, Figs. 10 and 11 show the results when the IDPF nodes arealthough about 84 percent of nodes cannot be used by selected with the T op and Rnd methods, respectively. For bothattackers to launch any spoofing-based attacks by relying on IDPF node selection schemes, the precise routing information (versus BGP updates) has little impact on AttackF raction and has significant impact on V ictimT raceF raction. These results indicate that using local BGP updates does not significantly affect the IDPFs’ ability to limit the spoofing capability of attackers but may affect the traceback accuracy. This conclu- sion applies to both T op and Rnd deployment scenarios. 6.3.3 Impacts of Overlapping Prefixes Fig. 12 shows the impact of overlapping prefixes. In Fig. 12a, we see that overlapping prefixes only have a relativelyFig. 9. Precise routing information versus BGP update information(G2004c , VC).Fig. 10. The T op method with different percentages of IDPF nodes. Fig. 11. The Rnd method with different percentages of IDPF nodes.(a) AttackF ractionðÞ. (b) V ictimT raceF ractionðÞ. (a) AttackF ractionðÞ. (b) V ictimT raceF ractionðÞ.
    • DUAN ET AL.: CONTROLLING IP SPOOFING THROUGH INTERDOMAIN PACKET FILTERS 33Fig. 12. Impact of overlapping prefixes (G2004c ,VC; note that scales are different). (a) AttackF ractionðÞ. (b) V ictimT raceF ractionðÞ.(c) V ictimT raceF raction99 ðÞ.Fig. 13. The T op method with different percentages of IDPF nodes. (a) AttackF ractionðÞ. (b) V ictimT raceF ractionðÞ.(c) V ictimT raceF raction99 ðÞ.Fig. 14. The Rnd method with different percentages of IDPF nodes. (a) AttackF ractionðÞ. (b) V ictimT raceF ractionðÞ.(c) V ictimT raceF raction99 ðÞ.moderate impact on limiting the spoofing capability of packet to be within  ASs. Fig. 12c presents the values ofattackers. For example, an attacker of about 50 percent nodes V ictimT raceF raction99 ðÞ. In this figure, we see that for morecannot spoof IP addresses of any other nodes. Fig. 12b than 99 percent of IP addresses of attack packets, a node candemonstrates that overlapping prefixes may significantly pinpoint the true origin to be within 79 nodes.affect the ability of nodes to pinpoint the true origin of an Figs. 13 and 14 show the results when the IDPF nodesattack packet. However, we speculate that this is caused by are selected with the T op and Rnd methods, respectively.ISPs that announce less specific prefixes that contain more For the T op method, overlapping prefixes slightlyspecific prefixes announced by other ASs. To verify this, we affect AttackF ractionðÞ but may significantly changeintroduce another metric V ictimT raceF raction99 ðÞ, which V ictimT raceF ractionðÞ. For example,is defined with respect to 99 percent of jCs;t j. Formally, V ictimT raceF ractionð1000Þ 99 V ictimT raceF raction ðÞ changes from 100 percent with nonoverlapping prefixes to jft : 8s 2 V ; P ðjCs;t j Þ ¼ 99%gj 0 percent with overlapping prefixes for all the percentages ¼ : plotted in Fig. 13. For the Rnd method, as shown in Fig. 14, the jV j impact on AttackF raction is negligible, whereas the impact V ictimT raceF raction99 ðÞ can be interpreted as follows: on V ictimT raceF raction is significant. These results are inFor an attack packet with an arbitrary IP source address, with line with the results for the VC coverage, which indicates thata 99 percent probability, we can pinpoint the true origin of the the conclusion applies to both IDPF node selection schemes.
    • 34 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 1, JANUARY-MARCH 2008Fig. 15. Deployment incentives (G2004c , Rnd5). (a) V ictimF ractionIDP F ðÞ versus V ictimF ractionðÞ. (b) V ictimT raceF ractionIDP F ðÞ versusV ictimT raceF ractionðÞ. (c) AttackF ractionIDP F ðÞ versus AttackF ractionðÞ.Fig. 16. Deployment incentives (G2004c , Rnd30). (a) V ictimF ractionIDP F ðÞ versus V ictimF ractionðÞ. (b) V ictimT raceF ractionIDP F ðÞ versusV ictimT raceF ractionðÞ. (c) AttackF ractionIDP F ðÞ versus AttackF ractionðÞ.6.3.4 Deployment Incentives 6.3.5 IDPFs with and without Network Ingress FilteringThis section studies the incentives for an AS to deploy IDPFs. So far, we have assumed that networks supporting IDPFsThe deployment incentive is the key factor that is responsible also employ network ingress packet filtering [25]. In thisfor the slow deployment of network ingress filtering. Figs. 15 section, we examine the implications of this assumption.and 16 show the incentive for an AS to deploy IDPFs: the ASs In Fig. 17, we can see that ingress packet filtering indeed hasthat deploy IDPFs are better protected than those that do not an impact on the effectiveness of IDPFs in limiting thedeploy IDPFs. Fig. 15 shows the results when only 5 percent of spoofing capability of attackers. However, without networkall nodes (randomly selected) deploy IDPFs, whereas Fig. 16shows the results when 30 percent of all nodes are IDPF ingress filtering, we still have more than 60 percent of nodesnodes. We show the values of V ictimF ractionIDP F ðÞ (the from which an attacker cannot launch any spoofing-basedcurve marked with IDPF Nodes) and V ictimF ractionðÞ attacks, as compared to 80 percent when ingress filtering is(marked with All Nodes). In Figs. 15 and 16, we see that in enabled at nodes supporting IDPFs. As shown in Fig. 18, thethe Rnd30 (Fig. 16) case although only about 5 percent of all impact of network ingress filtering on the effectiveness ofnodes on the Internet cannot be attacked by attackers that can IDPFs in terms of reactive IP traceback is not very large.spoof IP addresses of more than 6,000 nodes, this percentageincreases to higher than 11 percent among the nodes that Without ingress filtering, an arbitrary node can pinpoint thesupport IDPFs. Moreover, as the value of  increases, the true origin of an attack packet to be within 87 nodes, asdifference between the two enlarges. Similarly, although only compared to 28 when networks supporting IDPFs alsoabout 18 percent of all nodes on the Internet can pinpoint the employ ingress filtering. We have also performed simulationstrue origin of an attack packet to be within 5,000 nodes, more with different IDPF node selection schemes, and the trend inthan 33 percent of nodes that support IDPFs can do so the results is similar to those displayed in Figs. 17 and 18.(Fig. 16b). Comparing Figs. 15 and 16, we can see that therelative benefit for deploying IDPF is larger when a smallernumber of nodes deploy IDPFs: there is more incentive todeploy IDPFs when a smaller number of ASs in the Internetare IDPF nodes. Figs. 15c and 16c compare the spoofing capability ofattackers in attacking a general node on the Internet andthat support IDPFs. We see that networks supporting IDPFsonly gain slightly in this perspective. This can be under-stood by noting that by deploying IDPFs, an AS protects notonly itself but also those to whom the AS transports traffic. Fig. 17. IDPF with and without ingress filtering (G2004c , VC).
    • DUAN ET AL.: CONTROLLING IP SPOOFING THROUGH INTERDOMAIN PACKET FILTERS 35 [7] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Practical Network Support for IP Traceback,” Proc. ACM SIGCOMM Computer Comm. Rev., vol. 30, no. 4, Oct. 2000. [8] P. Watson, “Slipping in the Window: TCP Reset Attacks,” Proc. Fifth CanSecWest/core04 Conf., 2004. [9] J. Stewart, “DNS Cache Poisoning—The Next Generation,” technical report, LURHQ, Jan. 2003. [10] V. Paxson, “An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks,” ACM Computer Comm. Rev., vol. 31, no. 3, July 2001.Fig. 18. IDPF with and without ingress filtering (G2004c , VC). [11] ”CERT Advisory ca-1996-21 TCP SYN Flooding and IP Spoofing Attacks,”CERT, http://www.cert.org/advisories/CA-1996- 21.html, 1996.7 CONCLUSION [12] K. Park and H. Lee, “On the Effectiveness of Route-Based PacketIn this paper, we have proposed and studied an IDPF Filtering for Distributed DoS Attack Prevention in Power-Lawarchitecture as an effective countermeasure to the IP spoof- Internets,” Proc. ACM SIGCOMM, Aug. 2001. [13] Y. Rekhter and T. Li, “A Border Gateway Protocol 4 (BGP-4),” RFCing-based DDoS attacks. IDPFs rely on BGP update messages 1771, Mar. 1995.exchanged on the Internet to infer the validity of source [14] L. Gao, “On Inferring Autonomous System Relationships in theaddress of a packet forwarded by a neighbor. We showed that Internet,” IEEE/ACM Trans. Networking, vol. 9, no. 6, Dec. 2001.IDPFs can easily be deployed on the current BGP-based [15] L. Gao and J. Rexford, “Stable Internet Routing without Global Coordination,” IEEE/ACM Trans. Networking, vol. 9, no. 6, Dec.Internet routing architecture. We studied the conditions 2001.under which the IDPF framework can correctly work without [16] G. Huston, “Interconnection, Peering and Settlements: Part I,” Thediscarding any valid packets. Our simulation results showed Internet Protocol J., Mar. 1999.that, even with partial deployment on the Internet, IDPFs can [17] F. Baker, “Requirements for IP Version 4 Routers,” RFC 1812, Junesignificantly limit the spoofing capability of attackers. More- 1995. [18] “Unicast Reverse Path Forwarding Loose Mode,”Cisco Systems,over, they also help pinpoint the true origin of an attack http://www.cisco.com/univercd/cc/td/doc/product/software/packet to be within a small number of candidate networks, ios122/122newf%t/122t/122t13/ft_urpf.pdf, 2007.thus simplifying the reactive IP traceback process. [19] C. Jin, H. Wang, and K. Shin, “Hop-Count Filtering: An Effective Defense against Spoofed DDoS Traffic,” Proc. 10th ACM Conf. Computer and Comm. Security, Oct. 2003.ACKNOWLEDGMENTS [20] A. Yaar, A. Perrig, and D. Song, “Pi: A Path Identification Mechanism to Defend against DDoS Attacks,” Proc. IEEE Symp.The authors would like to thank Kihong Park, Heejo Lee, Security and Privacy, May 2003.and Ali Selcuk for providing the dpf simulation tool. They [21] A. Yaar, A. Perrig, and D. Song, “StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense,”also thank the Oregon Route Views Project for making BGP IEEE J. Selected Areas in Comm., vol. 24, no. 10, Oct. 2006.routing tables and updates publicly available. Z. Duan was [22] J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang, “Save: Sourcesupported in part by the US National Science Foundation Address Validity Enforcement Protocol,” Proc. IEEE INFOCOM, June 2002.(NSF) Grant CCF-0541096. Y. Xin was supported in part by [23] A. Bremler-Barr and H. Levy, “Spoofing Prevention Method,”NSF Grants ANI-0106706, CCR-0208892, CCF-0342540, and Proc. IEEE INFOCOM, Mar. 2005.CCF-0541096. J. Chandrashekar was supported in part by [24] X. Liu, X. Yang, D. Wetherall, and T. Anderson, “Efficient andNSF Grants ITR-0085824 and CNS-0435444, and a Cisco Secure Source Authentication with Packet Passport,” Proc. Second Usenix Workshop Steps to Reducing Unwanted Traffic on the InternetURP Grant. Any opinions, findings, and conclusions or (SRUTI ’06), July 2006.recommendations expressed in this paper are those of the [25] P. Ferguson and D. Senie, Network Ingress Filtering: Defeating Denialauthors and do not necessarily reflect the views of US NSF of Service Attacks Which Employ IP Source Address Spoofing, RFCor Cisco Systems. A preliminary version of this paper 2267, Jan. 1998. [26] “The Team Cymru Bogon Route Server Project,”Team Cymru,appeared in the Proceedings of the IEEE INFOCOM 2006 with http://www.cymru.com/BGP/bogon-rs.html, 2007.the title “Constructing Inter-Domain Packet Filters to [27] J. Stewart, BGP4: Inter-Domain Routing in the Internet. Addison-Control IP Spoofing Based on BGP Updates.” Wesley, 1999. [28] W. Xu and J. Rexford, “Miro: Multi-Path Interdomain Routing,” SIGCOMM Computer Comm. Rev., vol. 36, no. 4, Oct. 2006. [29] L. Gao, T. Griffin, and J. Rexford, “Inherently Safe Backup RoutingREFERENCES with BGP,” Proc. IEEE INFOCOM, 2001.[1] ICANN SSAC Advisory SAC008 DNS Distributed Denial of Service [30] J. Chandrashekar, Z. Duan, Z.-L. Zhang, and J. Krasky, “Limiting (DDoS) Attacks, Mar. 2006. Path Exploration in BGP,” Proc. IEEE INFOCOM, Mar. 2005.[2] C. Labovitz, D. McPherson, and F. Jahanian, “Infrastructure [31] V. Fuller, T. Li, J. Yu, and K. Varadhan, “Classless Inter-Domain Attack Detection and Mitigation,” Tutorial, Proc. ACM SIGCOMM, Routing (CIDR): An Address Assignment and Aggregation Aug. 2005. Strategy,” RFC 1519, Sept. 1993.[3] R. Beverly and S. Bauer, “The Spoofer Project: Inferring the Extent [32] Z. Duan, X. Yuan, and J. Chandrashekar, “Constructing Inter- of Internet Source Address Filtering on the Internet,” Proc. First Domain Packet Filters to Control IP Spoofing Based on BGP Usenix Steps to Reducing Unwanted Traffic on the Internet Workshop, Updates,” Proc. IEEE INFOCOM, Apr. 2006. July 2005. [33] “Route Views Project,” Univ. of Oregon, http://www.routeviews.[4] S. Kandula, D. Katabi, M. Jacob, and A. Berger, “Botz-4-Sale: org/, 2007. Surviving Organized DDoS Attacks that Mimic Flash Crowds,” [34] X. Dimitropoulos, D. Krioukov, and G. Riley, “Revisiting Internet Proc. Second Symp. Networked Systems Design and Implementation, As-Level Topology Discovery,” Proc. Sixth Int’l Workshop Passive 2005. and Active Measurement, Mar. 2005.[5] D. Moore, C. Shannon, D. Brown, G. Voelker, and S. Savage, [35] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. “Inferring Internet Denial-of-Service Activity,” ACM Trans. Weaver, “Inside the Slammer Worm,” Proc. IEEE Symp. Security Computer Systems, vol. 24, no. 2, May 2006. and Privacy, 2003.[6] R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson, “Characteristics of Internet Background Radiation,” Proc. ACM Internet Measurement Conf., Oct. 2004.
    • 36 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 1, JANUARY-MARCH 2008 Zhenhai Duan (S ’97-M ’03) received the BS Xin Yuan (M’98) received the BS and MS degree in computer science from Shandong degrees in computer science from Shanghai University, China, in 1994, the MS degree in Jiaotong University in 1989 and 1992, respec- computer science from Beijing University, Beij- tively, and the PhD degree in computer science ing, in 1997, and the PhD degree in computer from the University of Pittsburgh in 1998. He is science from the University of Minnesota in 2003. currently an associate professor in the Depart- He is currently an assistant professor in the ment of Computer Science, Florida State Uni- Department of Computer Science, Florida State versity. His research interests include parallel University. His research interests include com- and distributed systems, compilers, and network- puter networks and multimedia communications, ing. He is a member of the IEEE and the ACM.especially scalable network resource control and management in theInternet, Internet routing protocols and service architectures, andnetworking security. He is a corecipient of the Best Paper Awards in the Jaideep Chandrashekar received the BE de-10th IEEE International Conference on Network Protocols (ICNP ’02) and gree from Bangalore University, India, in 1997the 15th IEEE International Conference on Computer Communications and the PhD degree from the University ofand Networks (ICCCN ’06). He is a member of the IEEE and the ACM. Minnesota in December 2005. He is currently with Intel Research, Santa Clara, California. His research interests include computer networks and distributed systems, especially Internet tech- nologies, network routing, and computer security. He is a member of the IEEE and the ACM. . For more information on this or any other computing topic, please visit our Digital Library at www.computer.org/publications/dlib.