This document discusses controlling IP spoofing through interdomain packet filters (IDPFs). It proposes an IDPF architecture that can mitigate IP spoofing without requiring global routing information. IDPFs are constructed using information from Border Gateway Protocol (BGP) route updates and deployed in border routers. Simulation results show that even partial deployment of IDPFs can limit spoofing capability of attackers and help localize the origin of attack packets.
AN EFFECTIVE PREVENTION OF ATTACKS USING GI TIME FREQUENCY ALGORITHM UNDER DDOSIJNSA Journal
With the tremendous growth of internet services, websites are becoming indispensable. When the number of users gets increased accessing the websites, the performance of the server gets down. Due to much burden on the server, the response time gets delayed. When the process becomes slow, the ratio of the users accessing to the site also goes down. Apart from this, it may also happen due to the attack of Hackers. We have implemented a special kind of technique to recognize the attack carried out by the hackers and block them from using the site. This is termed as Denial of Service and thus is carried out among the web users and is commonly referred to as Distributed Denial of Service (DDoS). To improve server performance and deny the accessibility permissions to the hackers are proposed in this paper.
AN EFFECTIVE PREVENTION OF ATTACKS USING GI TIME FREQUENCY ALGORITHM UNDER DDOSIJNSA Journal
With the tremendous growth of internet services, websites are becoming indispensable. When the number of users gets increased accessing the websites, the performance of the server gets down. Due to much burden on the server, the response time gets delayed. When the process becomes slow, the ratio of the users accessing to the site also goes down. Apart from this, it may also happen due to the attack of Hackers. We have implemented a special kind of technique to recognize the attack carried out by the hackers and block them from using the site. This is termed as Denial of Service and thus is carried out among the web users and is commonly referred to as Distributed Denial of Service (DDoS). To improve server performance and deny the accessibility permissions to the hackers are proposed in this paper.
The Phantom Protocol: Generic, Decentralized, Unstoppable Anonymitylokijaja
The Phantom anonymity protocol was designed in 2008 by Swedish security researcher Magnus Bråding to provide anonymity optimized for the current conditions and needs of average internet users. The design goal was feasibility for mass adoption as a de facto internet anonymization standard. This goal differentiates it from other anonymization protocols such as TOR, which have seen only limited adoption among the masses. The Phantom protocol designer hopes to change this situation and provide secure anonymity to everyone, including non-technical people.
The protocol was first presented publicly by Magnus Bråding at the IT security and hacking conference DEFCON 16 in Las Vegas 2008.
Deep packet inspection has been subject to controversial debates about network neutral- ity and online privacy for the last few years. In this white paper we will argue that DPI as such is a neutral, neither good nor bad technology, and that it depends on the applica- tion that utilizes DPI if and how it will affect the Internet and our society.
Avoiding Man in the Middle Attack Based on ARP Spoofing in the LANEditor IJCATR
As technology is running on its wheels, networking has turned into one of our basic aspects. In this world along with
networking inimical vulnerabilities are also advancing in a drastic manner, resulting in perilous security threats. This calls for the great
need of network security. ARP spoofing is one of the most common MITM attacks in the LAN. This attack can show critical
implications for internet users especially in stealing sensitive information’s such as passwords. Beyond this it can facilitate other
attacks like denial of service(DOS), session hijacking etc..,. In this paper we are proposing a new method by encrypting MAC address
to shield from ARP cache poisoning
MANAGING ORGANISATION USING VPN's : A SURVEYEditor IJMTER
The basic concept of a VPN is to connect networks in separate offices in such a way that
makes them appear as a single network.The investigation of using peer-to-peer communication
began due to the low performance of traditional, client-server based model. The bandwidth and
latency of the communication between the connected clients , was improved by virtual private
networks (VPN's). Thus a new peer-to-peer connection based VPN protocol was developed. It uses
both TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) communication to
transfer Ethernet frames between the connected clients across IPv4 and IPv6 networks, and it makes
direct communication for the clients possible.
Abstract: Forged source IP addresses are used by the attackers to hide the locations. For finding the locations of the attackers IP Traceback Mechanism have been used. IP Traceback approaches can be classified in to Packet Marking, ICMP Traceback, Logging on the Router, Link Testing, Overlay and Hybrid Tracing, Based on the captured backscatter messages spoofing activities are still frequently observed. The IP Traceback system on the internet contain with two critical challenges. The first one is the cost to adopt a traceback mechanism in the routing system. It introduces considerable overhead to the routers generation, packet logging, especially in the high performance networks. The second one is the difficulty to make Internet Service Providers(ISP) collobrate. Attackers spread over every corner of the world, single ISPs to deploy its own traceback system is meaningless. ISPs are generally lack of explicit incentive to help clients of the others to trace attackers in their managed system. There are lot of IP traceback mechanisms and large number of spoofing activities observed , but the real locations of spoofers still remain mystery. Due to the some of the drawbacks it has not been widely used to trace the IP traceback solution. Finally, it was not used to find the locations of the attackers. To overcome the drawback of IP traceback mechanism we propose a Passive IP Traceback Mechanism(PIT). The router may generate an ICMP error message and send the message to the spoofed source addresses. The routers can be close to the attackers, the path backscatter messages may disclose the locations of the attackers. PIT can work in a number of spoofing activities. This technique uses the ICMP features and find the attackers by applying PIT on the ICMP dataset, a number of locations of attackers are captured and presented. As a result, these technique reveal IP spoofing, but it was not well understood. In future, it may be the most suitable mechanism for tracing the attackers on the Internet Level Traceback System.
Keywords: IP Traceback, packet logging, path backscatter, hybrid tracing, link testing.
Title: REVEALING THE LOCATIONS OF IP SPOOFERS FROM ICMP
Author: J Saranya, Dr. A J Deepa
ISSN 2350-1022
International Journal of Recent Research in Mathematics Computer Science and Information Technology
Paper Publications
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
Spoofing attacks are those attacks that attackers hide their and identity and use trusted Connection to gain unauthorized access.
روش حملات است که درآن حمله کننده هویت خودرا مخفی نگهداشته و خود را به عنوان شخصی دیگری معرفی میکند.
A Novel IP Traceback Scheme for Spoofing AttackIJAEMSJORNAL
Internet has been widely applied in various fields, more and more network security issues emerge and catch people’s attention. However, adversaries often hide themselves by spoofing their own IP addresses and then launch attacks. For this reason, researchers have proposed a lot of trace back schemes to trace the source of these attacks. Some use only one packet in their packet logging schemes to achieve IP tracking. Others combine packet marking with packet logging and therefore create hybrid IP trace back schemes demanding less storage but requiring a longer search. In this paper, we propose a new hybrid IP trace back scheme with efficient packet logging aiming to have a fixed storage requirement for each router in packet logging without the need to refresh the logged tracking information and to achieve zero false positive and false negative rates in attack-path reconstruction.
The Phantom Protocol: Generic, Decentralized, Unstoppable Anonymitylokijaja
The Phantom anonymity protocol was designed in 2008 by Swedish security researcher Magnus Bråding to provide anonymity optimized for the current conditions and needs of average internet users. The design goal was feasibility for mass adoption as a de facto internet anonymization standard. This goal differentiates it from other anonymization protocols such as TOR, which have seen only limited adoption among the masses. The Phantom protocol designer hopes to change this situation and provide secure anonymity to everyone, including non-technical people.
The protocol was first presented publicly by Magnus Bråding at the IT security and hacking conference DEFCON 16 in Las Vegas 2008.
Deep packet inspection has been subject to controversial debates about network neutral- ity and online privacy for the last few years. In this white paper we will argue that DPI as such is a neutral, neither good nor bad technology, and that it depends on the applica- tion that utilizes DPI if and how it will affect the Internet and our society.
Avoiding Man in the Middle Attack Based on ARP Spoofing in the LANEditor IJCATR
As technology is running on its wheels, networking has turned into one of our basic aspects. In this world along with
networking inimical vulnerabilities are also advancing in a drastic manner, resulting in perilous security threats. This calls for the great
need of network security. ARP spoofing is one of the most common MITM attacks in the LAN. This attack can show critical
implications for internet users especially in stealing sensitive information’s such as passwords. Beyond this it can facilitate other
attacks like denial of service(DOS), session hijacking etc..,. In this paper we are proposing a new method by encrypting MAC address
to shield from ARP cache poisoning
MANAGING ORGANISATION USING VPN's : A SURVEYEditor IJMTER
The basic concept of a VPN is to connect networks in separate offices in such a way that
makes them appear as a single network.The investigation of using peer-to-peer communication
began due to the low performance of traditional, client-server based model. The bandwidth and
latency of the communication between the connected clients , was improved by virtual private
networks (VPN's). Thus a new peer-to-peer connection based VPN protocol was developed. It uses
both TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) communication to
transfer Ethernet frames between the connected clients across IPv4 and IPv6 networks, and it makes
direct communication for the clients possible.
Abstract: Forged source IP addresses are used by the attackers to hide the locations. For finding the locations of the attackers IP Traceback Mechanism have been used. IP Traceback approaches can be classified in to Packet Marking, ICMP Traceback, Logging on the Router, Link Testing, Overlay and Hybrid Tracing, Based on the captured backscatter messages spoofing activities are still frequently observed. The IP Traceback system on the internet contain with two critical challenges. The first one is the cost to adopt a traceback mechanism in the routing system. It introduces considerable overhead to the routers generation, packet logging, especially in the high performance networks. The second one is the difficulty to make Internet Service Providers(ISP) collobrate. Attackers spread over every corner of the world, single ISPs to deploy its own traceback system is meaningless. ISPs are generally lack of explicit incentive to help clients of the others to trace attackers in their managed system. There are lot of IP traceback mechanisms and large number of spoofing activities observed , but the real locations of spoofers still remain mystery. Due to the some of the drawbacks it has not been widely used to trace the IP traceback solution. Finally, it was not used to find the locations of the attackers. To overcome the drawback of IP traceback mechanism we propose a Passive IP Traceback Mechanism(PIT). The router may generate an ICMP error message and send the message to the spoofed source addresses. The routers can be close to the attackers, the path backscatter messages may disclose the locations of the attackers. PIT can work in a number of spoofing activities. This technique uses the ICMP features and find the attackers by applying PIT on the ICMP dataset, a number of locations of attackers are captured and presented. As a result, these technique reveal IP spoofing, but it was not well understood. In future, it may be the most suitable mechanism for tracing the attackers on the Internet Level Traceback System.
Keywords: IP Traceback, packet logging, path backscatter, hybrid tracing, link testing.
Title: REVEALING THE LOCATIONS OF IP SPOOFERS FROM ICMP
Author: J Saranya, Dr. A J Deepa
ISSN 2350-1022
International Journal of Recent Research in Mathematics Computer Science and Information Technology
Paper Publications
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
Spoofing attacks are those attacks that attackers hide their and identity and use trusted Connection to gain unauthorized access.
روش حملات است که درآن حمله کننده هویت خودرا مخفی نگهداشته و خود را به عنوان شخصی دیگری معرفی میکند.
A Novel IP Traceback Scheme for Spoofing AttackIJAEMSJORNAL
Internet has been widely applied in various fields, more and more network security issues emerge and catch people’s attention. However, adversaries often hide themselves by spoofing their own IP addresses and then launch attacks. For this reason, researchers have proposed a lot of trace back schemes to trace the source of these attacks. Some use only one packet in their packet logging schemes to achieve IP tracking. Others combine packet marking with packet logging and therefore create hybrid IP trace back schemes demanding less storage but requiring a longer search. In this paper, we propose a new hybrid IP trace back scheme with efficient packet logging aiming to have a fixed storage requirement for each router in packet logging without the need to refresh the logged tracking information and to achieve zero false positive and false negative rates in attack-path reconstruction.
In computer networking, the term IP address spoofing or IP spoofing refers to the creation of Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system. On January 22, 1995, in an article entitled, ―New form of attack on computers linked to Internet is uncovered, John Markoff of the New York Times reported on the TCP/IP protocol suite's security weakness known as IP spoofing. The IP spoofing security weakness was published by S. M. Bellovin (1989). However, not much attention has been paid to the security weaknesses of the TCP/IP protocol by the general public. This is changing as more people and companies are connecting to the Internet to conduct business. This paper is on ― “Proposed methods of IP Spoofing Detection & Prevention”. This paper contains an overview of IP address and IP Spoofing and its background. It also shortly discusses various types of IP Spoofing, how they attack on communication system. This paper also describes some methods to detection and prevention methods of IP spoofing and also describes impacts on communication system by IP Spoofing. We think that our proposed methods will be very helpful to detect and stop IP spoofing and give a secured communication system.
Nagios Conference 2013 - William Leibzon - SNMP Protocol and Nagios PluginsNagios
William Leibzon's presentation on SNMP Protocol and Nagios Plugins.
The presentation was given during the Nagios World Conference North America held Sept 20-Oct 2nd, 2013 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna
PROACTIVE DETECTION OF DDOS ATTACKS IN PUBLISH-SUBSCRIBE NETWORKSIJNSA Journal
Abstract. Information centric networking (ICN) using architectures such as Publish-Subscribe Internet
Routing Paradigm (PSIRP) or Publish-Subscribe Internet Technology (PURSUIT) has been proposed as an
important candidate for the Internet of the future. ICN is an emerging research area that proposes a
transformation of the current host centric Internet architecture into an architecture where information
items are of primary importance. This change allows network functions such as routing and locating to be
optimized based on the information items themselves. The Bloom filter based content delivery is a sourcerouting
scheme that is used in the PSIRP/PURSUIT architectures. Although this mechanism solves many
issues of today’s Internet such as the growth of the routing table and the scalability problems, it is
vulnerable to distributed denial-of-service (DDoS) attacks. In this paper, we present a new content delivery
scheme that has the advantages of Bloom filter based approach while at the same time being able to
prevent DDoS attacks on the forwarding mechanism. Our security analysis suggests that with the proposed
approach, the forwarding plane is able to resist attacks such as DDoS with very high probability.
PROACTIVE DETECTION OF DDOS ATTACKS IN PUBLISH-SUBSCRIBE NETWORKSIJNSA Journal
Information centric networking (ICN) using architectures such as Publish-Subscribe Internet Routing Paradigm (PSIRP) or Publish-Subscribe Internet Technology (PURSUIT) has been proposed as an important candidate for the Internet of the future. ICN is an emerging research area that proposes a transformation of the current host centric Internet architecture into an architecture where information items are of primary importance. This change allows network functions such as routing and locating to be optimized based on the information items themselves. The Bloom filter based content delivery is a sourcerouting scheme that is used in the PSIRP/PURSUIT architectures. Although this mechanism solves many issues of today’s Internet such as the growth of the routing table and the scalability problems, it is vulnerable to distributed denial-of-service (DDoS) attacks. In this paper, we present a new content delivery scheme that has the advantages of Bloom filter based approach while at the same time being able to prevent DDoS attacks on the forwarding mechanism. Our security analysis suggests that with the proposed approach, the forwarding plane is able to resist attacks such as DDoS with very high probability.
Passive IP Traceback: Disclosing the Locations of IP Spoofers from Path Backs...1crore projects
IEEE PROJECTS 2015
1 crore projects is a leading Guide for ieee Projects and real time projects Works Provider.
It has been provided Lot of Guidance for Thousands of Students & made them more beneficial in all Technology Training.
Dot Net
DOTNET Project Domain list 2015
1. IEEE based on datamining and knowledge engineering
2. IEEE based on mobile computing
3. IEEE based on networking
4. IEEE based on Image processing
5. IEEE based on Multimedia
6. IEEE based on Network security
7. IEEE based on parallel and distributed systems
Java Project Domain list 2015
1. IEEE based on datamining and knowledge engineering
2. IEEE based on mobile computing
3. IEEE based on networking
4. IEEE based on Image processing
5. IEEE based on Multimedia
6. IEEE based on Network security
7. IEEE based on parallel and distributed systems
ECE IEEE Projects 2015
1. Matlab project
2. Ns2 project
3. Embedded project
4. Robotics project
Eligibility
Final Year students of
1. BSc (C.S)
2. BCA/B.E(C.S)
3. B.Tech IT
4. BE (C.S)
5. MSc (C.S)
6. MSc (IT)
7. MCA
8. MS (IT)
9. ME(ALL)
10. BE(ECE)(EEE)(E&I)
TECHNOLOGY USED AND FOR TRAINING IN
1. DOT NET
2. C sharp
3. ASP
4. VB
5. SQL SERVER
6. JAVA
7. J2EE
8. STRINGS
9. ORACLE
10. VB dotNET
11. EMBEDDED
12. MAT LAB
13. LAB VIEW
14. Multi Sim
CONTACT US
1 CRORE PROJECTS
Door No: 214/215,2nd Floor,
No. 172, Raahat Plaza, (Shopping Mall) ,Arcot Road, Vadapalani, Chennai,
Tamin Nadu, INDIA - 600 026
Email id: 1croreprojects@gmail.com
website:1croreprojects.com
Phone : +91 97518 00789 / +91 72999 51536
CONTROLLING IP FALSIFYING USING REALISTIC SIMULATIONIJNSA Journal
The study of Internet-scale events such as worm proliferation, distributed denial-of-service attacks (DDoS), flash crowds, routing volatilities, and DNS attacks depend on the formation of all the networks that generate or forward valid and malevolent traffic,The Distributed Denial of Services (DDoS) attack is a serious threat to the valid use of the Internet. Forestalling mechanisms are disappointed by the ability of attackers to steal, or spoof, the source addresses in IP packets. IP falsifying is still widespread in network scanning and investigates, as well as denial of service floods.IDPFs can limit the falsifying capability of attackers. Moreover, it works on a small number of candidate networks easily traceable, thus simplifying the reactive IP trace back process. However, this technique does not allow large number of networks, which is a common misapprehension for those unfamiliar with the practice. Current network simulators cannot be used to study Internet-scale events. They are general-purpose, packet-level simulators that reproduce too many details of network communication, which limits scalability. We propose to develop a distributed Internet simulator, with the following novel features. It will provide a built-in Internet model, including the topology, routing, link bandwidths and delays, Instead of being a general-purpose simulator, it will provide a common simulation core for traffic generation and message passing, on top of which we will build separate modules that customize messages and level of simulation details for the event of interest. Customization modules will ensure that all and only the relevant details of the event of interest are simulated, cutting down the simulation time. We will also provide an interface for new module specification, and for existing module modification, this will bring the Internet event simulation at the fingertips of all interested researchers. The simulator will promote research in worm detection and defense, IP falsifying prevention and DDoS defense.
An improved ip traceback mechanism for network securityeSAT Journals
Abstract IP traceback is amongst the main challenges that face the security of today’s Internet. Many techniques were proposed, including in-band packhranits alert and outband packets each of them has advantages and disadvantages. Source IP spoofing attacks are critical issues to the Internet. These attacks are considered to be sent from bot infected hosts. There has been active research on IP traceback technologies. However, the traceback from an end victim host to an end spoofing host has never yet been achieved, because of the insufficient traceback probes installed on each routing path. There exists a will need to replace alternative probes in an effort to lessen the installation cost. Recently a great number of technologies of a given detection and prevention have developed, but it is difficult the fact that the IDS distinguishes normal traffic that are caused by the DDoS traffic due to many changes in network features. In existing work a whole new hybrid IP traceback scheme with efficient packet logging reaching to tend to have a fixed storage requirement for each router ( CAIDA’s data set) in packet logging without the need to refresh the logged tracking information and then to achieve zero false positive and false negative rates in attack-path reconstruction. Existing hybrid traceback approach applied on offline CAIDA dataset which isn't suitable to realtime tracing. With this proposed work efficient hybrid approach for single-packet traceback to our best knowledge, our approach will reduces 2/3 of a given overhead in each of storage and how about recording packet paths, and to discover the time overhead for recovering packet paths is also reduced by a calculatable amount. Keywords –Attack, Trace back, LAN
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
As cyberattacks grow in volume and complexity, artificial intelligence (AI) is helping under-resourced security operations analysts stay ahead of threats. Curating threat intelligence from millions of research papers, blogs and news stories, AI technologies like machine learning and natural language processing provide rapid insights to cut through the noise of daily alerts, drastically reducing response
THE FIGHT AGAINST IP SPOOFING ATTACKS: NETWORK INGRESS FILTERING VERSUS FIRST...ijsptm
The IP(Internet Protocol) spoofing is a technique that consists in replacing the IP address of the sender by
another sender’s address. This technique allows the attacker to send a message without being intercepted
by the firewall. The most used method to deal with such attacks is the technique called "Network Ingress
Filtering". This technique has been used, initially, forIPv4 networks, but its principles, are currently
extended toIPv6 networks.Unfortunately, it has some limitations, the main is its accuracy. To improve
safety conditions, we applied the "First-Come First-Serve (FCFS)" technique, applied for IPV6 networks,
and developed by the "Internet Engineering Task Force (IETF)" within its working group "Source Address
Validation Improvements (SAVI)", which is currently being standardization. In this paper, we remember
the course of an attack by IP Spoofing and expose the threats it entails.Then, we explain the "Network
Ingress Filtering" technique. Next, We present the FCFS SAVI method and methodology that we have
adopted for its implementation.Finally, we, followingthe results, discuss and compare the advantages,
disadvantages andlimitations of the FCFSSAVI methodto thoseknown in the "Network Ingress Filtering"
technique. FCFS SAVI method is more effective than the technique of "Network Ingress Filtering", but
requires some improvements, for dealing with limitations it presents.
The Fight against IP Spoofing Attacks: Network Ingress Filtering Versus First...ClaraZara1
The IP(Internet Protocol) spoofing is a technique that consists in replacing the IP address of the sender by another sender’s address. This technique allows the attacker to send a message without being intercepted by the firewall. The most used method to deal with such attacks is the technique called "Network Ingress Filtering". This technique has been used, initially, forIPv4 networks, but its principles, are currently extended toIPv6 networks.Unfortunately, it has some limitations, the main is its accuracy. To improve safety conditions, we applied the "First-Come First-Serve (FCFS)" technique, applied for IPV6 networks, and developed by the "Internet Engineering Task Force (IETF)" within its working group "Source Address Validation Improvements (SAVI)", which is currently being standardization. In this paper, we remember the course of an attack by IP Spoofing and expose the threats it entails.Then, we explain the "Network Ingress Filtering" technique. Next, We present the FCFS SAVI method and methodology that we have adopted for its implementation.Finally, we, followingthe results, discuss and compare the advantages, disadvantages andlimitations of the FCFSSAVI methodto thoseknown in the "Network Ingress Filtering" technique. FCFS SAVI method is more effective than the technique of "Network Ingress Filtering", but requires some improvements, for dealing with limitations it presents.
A SYNCHRONIZED DISTRIBUTED DENIAL OF SERVICE PREVENTION SYSTEMcscpconf
DDoS attack is a distributed source but coordinated Internet security threat that attackers either degrade or disrupt a shared service to legitimate users. It uses various methods to inflict damages on limited resources. It can be broadly classified as: flood and semantic (logic) attacks. DDoS attacking mechanisms vary from time to time and simple but powerful attacking tools are freely available on the Internet. There have been many trials on defending victims from DDoS attacks. However, many of the previous attack prevention systems lack effective handling of various attacking mechanisms and protecting legitimate users from collateral damages during detection and protection. In this paper, we proposed a distributed but synchronized DDoS defense architecture by using multiple agents, which are autonomous systems that perform their assigned mission in other networks on behalf of the victim. The major assignments of defense agents are IP spoofing verification, high traffic rate limitation, anomaly packet detection, and attack source detection.These tasks are distributed through four agents that are deployed on different domain networks. The proposed solution was tested through simulation with sample attack scenarios on the model Internet topology. The experiments showed encouraging results. A more comprehensive attack protection and legitimate users prevention from collateral damages makes this system more effective than other previous works.
Denial of service attack: an analysis to IPv6 extension headers security nig...IJECEIAES
Dealing with scarcity issues of internet protocol version 4 (IPv4), internet engineering task force (IETF) developed internet protocol version 6 (IPv6) to support the needs of IP addresses for future use of the internet, however, one challenge that must be faced while transitioning to IPv6 is in the area of security. IPv6 is a new protocol that has many new probabilities for attackers to exploit the protocol stack and one of them is through IPv6 extension headers. Mishandling of extension headers are the security nightmares for network administrators, allowing for new security threats that will cause denial of service (DoS). As a result, the mishandling of IPv6 extension Headers creates new attack vectors that could lead to DoS–which can be exploited for different purposes, such as creating covert channels, fragmentation attacks, and routing header 0 attacks. Furthermore, this paper becomes proof of concepts that even to this day our well-known network devices are still exploitable by these attack vectors.
Similar to BasepaperControlling IP Spoofing through Interdomain Packet Filters (20)
Denial of service attack: an analysis to IPv6 extension headers security nig...
BasepaperControlling IP Spoofing through Interdomain Packet Filters
1. 22 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 1, JANUARY-MARCH 2008
Controlling IP Spoofing through
Interdomain Packet Filters
Zhenhai Duan, Member, IEEE, Xin Yuan, Member, IEEE, and Jaideep Chandrashekar, Member, IEEE
Abstract—The Distributed Denial-of-Service (DDoS) attack is a serious threat to the legitimate use of the Internet. Prevention
mechanisms are thwarted by the ability of attackers to forge or spoof the source addresses in IP packets. By employing IP spoofing,
attackers can evade detection and put a substantial burden on the destination network for policing attack packets. In this paper, we
propose an interdomain packet filter (IDPF) architecture that can mitigate the level of IP spoofing on the Internet. A key feature of our
scheme is that it does not require global routing information. IDPFs are constructed from the information implicit in Border Gateway
Protocol (BGP) route updates and are deployed in network border routers. We establish the conditions under which the IDPF framework
correctly works in that it does not discard packets with valid source addresses. Based on extensive simulation studies, we show that, even
with partial deployment on the Internet, IDPFs can proactively limit the spoofing capability of attackers. In addition, they can help localize
the origin of an attack packet to a small number of candidate networks.
Index Terms—IP spoofing, DDoS, BGP, network-level security and protection, routing protocols.
Ç
1 INTRODUCTION
D ISTRIBUTED Denial-of-Service (DDoS) attacks pose an
increasingly grave threat to the Internet, as evident in
recent DDoS attacks mounted on both popular Internet sites
legitimate traffic harder: packets with spoofed source
addresses may appear to be from all around the Internet.
Second, it presents the attacker with an easy way to insert a
and the Internet infrastructure [1]. Alarmingly, DDoS level of indirection. As a consequence, substantial effort is
attacks are observed on a daily basis on most of the large required to localize the source of the attack traffic [7]. Finally,
backbone networks [2]. One of the factors that complicate many popular attacks such as man-in-the-middle attacks [8],
the mechanisms for policing such attacks is IP spoofing, [9], reflector-based attacks [10], and TCP SYN flood attacks
which is the act of forging the source addresses in IP [11] use IP spoofing and require the ability to forge source
packets. By masquerading as a different host, an attacker addresses.
can hide its true identity and location, rendering source- Although attackers can insert arbitrary source addresses
based packet filtering less effective. It has been shown that a into IP packets, they cannot control the actual paths that the
large part of the Internet is vulnerable to IP spoofing [3]. packets take to the destination. Based on this observation,
Recently, attackers have increasingly been staging Park and Lee [12] proposed the route-based packet filters as a
attacks via botnets [4]. In this case, since the attacks are way of mitigating IP spoofing. The idea is that by assuming
carried out through intermediaries, that is, the compro- single-path routing, there is exactly one single path pðs; dÞ
mised “bots,” attackers may not utilize the technique of IP between the source node s and the destination node d. Hence,
spoofing to hide their true identities. It is tempting to any packet with the source address s and the destination
believe that the use of IP spoofing is less of a factor. address d that appear in a router that is not in pðs; dÞ should be
However, recent studies [1], [5], [6] show that IP spoofing is discarded. The challenge is that constructing such a route-
still a common phenomenon: it is used in many attacks, based packet filter requires the knowledge of global routing
including the high-profile DDoS attacks on root DNS information, which is hard to reconcile in the current Internet
servers in early February 2006 [1]. In response to this event, routing infrastructure [13].
the ICANN Security and Stability Advisory Committee The Internet consists of thousands of network domains or
made three recommendations [1]. The first and long-term autonomous systems (ASs). Each AS communicates with its
recommendation is to adopt source IP address verification, neighbors by using the Border Gateway Protocol (BGP),
which confirms the importance of the IP spoofing problem. which is the de facto interdomain routing protocol, to
IP spoofing will remain popular for a number of reasons. exchange information about its own networks and others
First, IP spoofing makes isolating attack traffic from that it can reach [13]. BGP is a policy-based routing protocol in
that both the selection and the propagation of the best route to
a destination at an AS are guided by some locally defined
. Z. Duan and X. Yuan are with the Department of Computer Science,
Florida State University, Tallahassee, FL 32306. routing policies. Given the insular nature of how policies are
E-mail: {duan, xyuan}@cs.fsu.edu. applied at individual ASs, it is impossible for an AS to acquire
. J. Chandrashekar is with Intel Research/CTL, 2200 Mission College Blvd., the complete knowledge of routing decisions made by all
MS RNB6-61, Santa Clara, CA 95054. other ASs. Hence, constructing route-based packet filters, as
E-mail: jaideep.chandrashekar@intel.com.
proposed in [12], is an open challenge in the current Internet
Manuscript received 7 June 2006; revised 5 Feb. 2007; accepted 10 July 2007; routing regime.
published online 1 Aug. 2007.
For information on obtaining reprints of this article, please send e-mail to:
Inspired by the route-based packet filters [12], we propose
tdsc@computer.org, and reference IEEECS Log Number TDSC-0071-0606. an interdomain packet filter (IDPF) architecture, a route-
Digital Object Identifier no. 10.1109/TDSC.2007.70224. based packet filter system that can be constructed solely
1545-5971/08/$25.00 ß 2008 IEEE Published by the IEEE Computer Society
2. DUAN ET AL.: CONTROLLING IP SPOOFING THROUGH INTERDOMAIN PACKET FILTERS 23
based on the locally exchanged BGP updates, assuming that filters by using the prefix and path information. Bremler-Barr
all ASs employ a set of routing policies that are commonly and Levy proposed a spoofing prevention method (SPM) [23],
used today [14], [15], [16]. The key contributions of this paper where packets that were exchanged between members of the
are given as follows: First, we describe how we can practically SPM scheme carry an authentication key that is associated
construct IDPFs at an AS by only using the information in the with the source and destination AS domains. Packets arriving
locally exchanged BGP updates. Second, we establish the at a destination domain with an invalid authentication key
conditions under which the proposed IDPF framework (with respect to the source domain) are spoofed packets and
works correctly in that it does not discard packets with valid are discarded. In the Packet Passport System [24], a packet
source addresses. Third, to evaluate the effectiveness of the that originated in a participating domain carries a passport
proposed architecture, we conduct extensive simulation that is computed based on secret keys shared by the source
studies based on AS topologies and AS paths extracted from domain and the transit domains from the source to the
real BGP data. The results show that, even with partial destination. Packets carrying an invalid passport are dis-
deployment, the architecture can proactively limit an attack- carded by the transit domains.
er’s ability to spoof packets. When a spoofed packet cannot be In the Network Ingress Filtering proposal described in
stopped, IDPFs can help localize the attacker to a small [25], traffic originating in a network is forwarded only if the
number of candidate ASs, which can significantly improve source IP in the packets belongs to the network. Ingress
the IP traceback situation [7]. In addition, IDPF-enabled ASs filtering primarily prevents a specific network from being
(and their customers) provide better protection against used for attacking others. Thus, although there is a collective
IP spoofing attacks than the ones that do not support social benefit when everyone deploys it, individuals do not
IDPFs. This should give network administrators incentives receive direct incentives. Finally, the Bogon Route Server
to deploy IDPFs. Project [26] maintains a list of bogon network prefixes that are
The rest of this paper is organized as follows: We discuss not routable on the public Internet. Examples include private
related work in Section 2. We provide an abstract model of RFC 1918 address blocks and unassigned address prefixes.
BGP in Section 3. Section 4 presents the IDPF architecture. Packets with source addresses in the bogon list are filtered
Section 5 discusses practical deployment issues. We report out. However, this mechanism cannot filter out attack packets
our simulation study of IDPFs in Section 6. We conclude carrying routable but spoofed source addresses.
this paper in Section 7.
3 BORDER GATEWAY PROTOCOL AND
2 RELATED WORK AS INTERCONNECTIONS
The idea of IDPF is motivated by the work carried out by Park In this section, we briefly describe a few key aspects of BGP
and Lee [12], who evaluated the relationship between that are relevant to this paper (see [27] for a comprehensive
network topology and the effectiveness of route-based packet description). We model the AS graph of the Internet as an
filtering. They showed that packet filters constructed based undirected graph G ¼ ðV ; EÞ. Each node v 2 V corresponds
on the global routing information can significantly limit IP to an AS, and each edge eðu; vÞ 2 E represents a BGP
spoofing when deployed in just a small number of ASs. In this session between two neighboring ASs u, v 2 V . To ease the
work, we extend the idea and demonstrate that filters that are exposition, we assume that there is at most one edge
built based on local BGP updates can also be effective. between a pair of neighboring ASs.
Unicast reverse path forwarding (uRPF) [17] requires that Each node owns one or multiple network prefixes. Nodes
a packet is forwarded only when the interface that the packet exchange BGP route updates, which may be announcements
arrives on is exactly the same used by the router to reach the or withdrawals, to learn of changes in reachability to
source IP of the packet. If the interface does not match, the destination network prefixes. A route announcement con-
packet is dropped. Although this is simple, the scheme is tains a list of route attributes associated with the destination
limited, given that Internet routing is inherently asymmetric; network prefix. Of particular interest to us are the path vector
that is, the forward and reverse paths between a pair of hosts attribute as_path, which is the sequence of ASs that this
are often quite different. The uRPF loose mode [18] over- route has been propagated over, and the local_pref
comes this limitation by removing the match requirement on attribute that describes the degree of local preference associated
the specific incoming interface for the source IP address. A
with the route. We will use r.as_path, r.local_pref,
packet is forwarded, as long as the source IP address is in the
and r.prefix to denote the as_path, the local_pref,
forwarding table. However, the loose mode is less effective in
and the destination network prefix of r, respectively. Let
detecting spoofed packets. In Hop-Count Filtering (HCF)
[19], each end system maintains a mapping between IP r:as path ¼ hvk vkÀ1 . . . v1 v0 i. The route was originated (first
address aggregates and valid hop counts from the origin to announced) by node v0 , which owns the network prefix
the end system. Packets that arrive with a different hop count r.prefix. Before arriving at node vk , the route was carried
are suspicious and are therefore discarded or marked for over nodes v1 ; v2 ; . . . ; vkÀ1 in that order. For i ¼ k, k À 1; . . . ; 1,
further processing. In Path Identification [20], each packet we say that edge eðvi ; viÀ1 Þ is on the AS path, that is,
along a path is marked by a unique Path Identifier (Pi) of the eðvi ; viÀ1 Þ 2 r:as path.
path. Victim nodes can filter packets based on the Pi carried in When there is no confusion, route r and its AS path
the packet header. StackPi [21] improved the incremental r:as path are interchangeably used. For convenience, we
deployment property of Pi by proposing two new packet also consider a specific destination AS d. All route
marking schemes. In [22], Li et al. described SAVE, which is a announcements and withdrawals are specific to the net-
new protocol for networks to propagate valid network work prefixes owned by d. For simplicity, notation d is also
prefixes along the same paths that data packets will follow. used to denote the network prefixes owned by the AS d. As
Routers along the paths can thus construct the appropriate a consequence, a route r that can be used to reach the
3. 24 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 1, JANUARY-MARCH 2008
TABLE 1 TABLE 2
Import Routing Policies at an AS Export Routing Policies at an AS
network prefixes owned by destination d may simply be
expressed as a route to reach destination d.
3.1 Policies and Route Selection
Each node only selects and propagates to neighbors a single common when the provider is much larger in size
best route to the destination, if any. Both the selection and the than the customer.
propagation of best routes are governed by locally defined . Peer to peer. In a mutual peering agreement, the ASs
routing policies. Two distinct sets of routing policies are decide to carry traffic from each other (and their
typically employed by a node: import policies and export customers). Mutual peers do not carry transit traffic
policies. Neighbor-specific import policies are applied upon for each other.
routes learned from neighbors, whereas neighbor-specific . Sibling to sibling. In this arrangement, two ASs provide
export policies are imposed on locally selected best routes mutual transit service to each other. Each sibling AS
before they are propagated to the neighbors. can be regarded as the provider of the other AS.
In general, import policies can affect the “desirability” of An AS’s relationship with a neighbor largely determines
routes by modifying route attributes. Let r be a route (to the neighbor-specific import and export routing policies. In
destination d) received at v from node u. We denote by this paper, we assume that each AS sets its import routing
importðv uÞ½frgŠ the possibly modified route that has policies and export routing policies according to the rules
been transformed by the import policies. The transformed specified in Tables 1 [15] and 2 [14], [16], respectively. These
routes are stored in v’s routing table. The set of all such rules are commonly used by ASs on the current Internet. In
routes is denoted as candidateRðv; dÞ: Table 1, r1 and r2 denote the routes (to destination d)
received by node v from neighbors u1 and u2 , respectively.
candidateRðv; dÞ ¼ fr : importðv uÞ½frgŠ 6¼ fg customerðvÞ, peerðvÞ, providerðvÞ, and siblingðvÞ denote the
ð1Þ
r:prefix ¼ d; 8u 2 NðvÞg: set of customers, peers, providers, and siblings of node v,
respectively. The import routing policies in Table 1 state
Here, NðvÞ is the set of v’s neighbors. that an AS will prefer the routes learned from customers or
Among the set of candidate routes candidateRðv; dÞ, node siblings over the routes learned from peers or providers.
v selects a single best route to reach the destination based on a In Table 2, the columns marked with r1-r4 specify the
well-defined procedure (see [27]). To aid in description, we export policies employed by an AS to announce routes to
shall denote the outcome of the selection procedure at node v, providers, customers, peers, and siblings, respectively. For
that is, the best route, as bestRðv; dÞ, which reads the best route instance, export rule r1 instructs that an AS will announce
to destination d at node v. Having selected bestRðv; dÞ from routes to its own networks, and routes learned from
candidateRðv; dÞ, v then exports the route to its neighbors customers and siblings to a provider, but it will not
after applying neighbor-specific export policies. The export announce routes learned from other providers and peers
policies determine if a route should be forwarded to the to the provider. The net effect of these rules is that they limit
neighbor, and if so, they modify the route attributes according the possible paths between each pair of ASs. Combined
to the policies (see Section 3.2). We denote by exportðv ! together, the import and export policies also ensure the
uÞ½frgŠ the route sent to neighbor u by node v after node v propagation of valid routes on the Internet. For example,
applies the export policies on route r. combining the import and export policies, we can guarantee
BGP is an incremental protocol: updates are generated that a provider will propagate a route to a customer to other
only in response to network events. In the absence of any ASs (customers, providers, peers, and siblings). If an AS
event, no route updates are triggered or exchanged between does not follow the import policies, for example, it may
neighbors, and we say that the routing system is in a stable prefer an indirect route via a peer instead of a direct route to
state. Formally, a customer. In this case, based on export rule r3, the AS will
Definition 1 (stable routing state). A routing system is in a not propagate the route (via a peer) to a customer to a peer,
stable state if all the nodes have selected a best route to reach other since the best route (to the customer) is learned from a peer.
nodes and no route updates are generated (or propagated). This property is critical to the construction and correctness
of IDPFs (see Sections 4.2 and 4.3). The routing policies in
3.2 AS Relationships and Routing Policies Tables 1 and 2 are incomplete. In some cases, ASs may
The specific routing policies that an AS internally employs apply less restrictive policies. For the moment, we assume
is largely determined by economics: connections between that all ASs follow the import and export routing policies
ASs follow a few commercial relations. A pair of ASs can specified in Tables 1 and 2 and that each AS accepts
enter into one of the following arrangements [14], [16]: legitimate routes exported by neighbors. More general cases
will be discussed at the end of the next section.
. Provider to customer. In this arrangement, a customer If AS b is a provider of AS a and AS c is a provider of AS b,
AS pays the provider AS to carry its traffic. It is most then we call c an indirect provider of a, and a an indirect
4. DUAN ET AL.: CONTROLLING IP SPOOFING THROUGH INTERDOMAIN PACKET FILTERS 25
customer of c. Indirect siblings are defined in a similar Clearly, the route-based packet filtering is correct, because
fashion. The import and export routing policies in Tables 1 valid packets from source s to destination d will only traverse
and 2 imply that an AS will distribute the routes to direct or the edges on bestRðs; dÞ. Computing route-based packet
indirect customers/siblings to its peers and providers. If filters requires the knowledge of bestRðs; dÞ on every node,
eðu; vÞ 2 bestRðs; dÞ:as path, we say that u is the best which is impossible in BGP. IDPF overcomes this problem.
upstream neighbor of node v for traffic from node s to
destination d, and we denote u as u ¼ bestUðs; d; vÞ. For ease 4.1 IDPF Overview
of exposition, we augment the AS graph with the relation- The following concepts will be used in this section. A
ships between neighboring ASs. We refer to an edge from a topological route between nodes s and d is a loop-free path
provider to a customer AS as a provider-to-customer edge, an between the two nodes. Topological routes are implied by the
edge from a customer to provider as a customer-to-provider network connectivity. A topological route is a feasible route
edge, and an edge connecting sibling (peering) ASs as sibling- under BGP if and only if the construction of the route does not
to-sibling (peer-to-peer) edge. A downhill path is a sequence of violate the routing policies imposed by the commercial
edges that are either provider-to-customer or sibling-to- relationship between ASs (Tables 1 and 2). Formally, let
sibling edges, and an uphill path is a sequence of edges that are feasibleRðs; dÞ denote the set of feasible routes from s to d.
either customer-to-provider or sibling-to-sibling edges. Gao Then, feasibleRðs; dÞ can recursively be defined as follows:
[14] established the following about the candidate routes in a
BGP routing table: feasibleRðs; dÞ ¼
Theorem 1 (see [14]). If all ASs set their export policies fhs È [ feasibleRðu; dÞig;
according to r1-r4, a candidate route in a BGP routing table u:
can be any of the following: importðs uÞ½frgŠ 6¼ fg;
1. an uphill path, r:prefix ¼ d; u 2 NðsÞ
2. a downhill path, where È is the concatenation operation, for example, fs È
3. an uphill path followed by a downhill path, fhabi; huvigg ¼ fhsabi; hsuvig. Notice that feasibleRðs; dÞ
4. an uphill path followed by a peer-to-peer edge, contains all the routes between the pair that does not
5. a peer-to-peer edge followed by a downhill path, or violate the import and export routing policies specified in
6. an uphill path followed by a peer-to-peer edge, which is Tables 1 and 2. Obviously, bestRðs; dÞ 2 candidateRðs; dÞ
followed by a downhill path. feasibleRðs; dÞ. Each of the feasible routes can potentially be a
candidate route in a BGP routing table. Theorem 1 also applies
to feasible routes.
4 INTERDOMAIN PACKET FILTERS Definition 4 (feasible upstream neighbor). Consider a
In this section, we discuss the intuition behind the IDPF feasible route r 2 feasibleRðs; dÞ. If an edge eðu; vÞ is on
architecture, describe how IDPFs are constructed using BGP the feasible route, that is, eðu; vÞ 2 r:as path, we say that
route updates, and establish the correctness of IDPFs. After node u is a feasible upstream neighbor of node v for packet
that, we discuss the case where ASs have routing policies Mðs; dÞ. The set of all such feasible upstream neighbors of v
that are less restrictive than the ones in Tables 1 and 2. We (for Mðs; dÞ) is denoted as feasibleUðs; d; vÞ.
shall assume that the routing system is in the stable routing The intuition behind the IDPF framework is the following:
state in this section. We will discuss how IDPFs fare with First, it is possible for a node v to infer its feasible upstream
network routing dynamics in the next section. neighbors by using BGP route updates. The technique
Let Mðs; dÞ denote a packet whose source address is s (or for inferring feasible upstream neighbors is described in
more generally, the address belongs to AS s) and whose the next section. Since bestRðs; dÞ 2 candidateRðs; dÞ
destination address is d. A packet filtering scheme decides feasibleRðs; dÞ, a node can only allow Mðs; dÞ from its
whether a packet should be forwarded or dropped based on feasible upstream neighbors to pass and discard all other
certain criteria. One example is the route-based packet packets. Such a filtering will not discard packets with valid
filtering [12]: source addresses. Second, although network connectivity
Definition 2 (route-based packet filtering). Node v accepts (topology) may imply a large number of topological routes
packet Mðs; dÞ that is forwarded from node u if and only if between a source and a destination, the commercial relation-
eðu; vÞ 2 bestRðs; dÞ. Otherwise, the source address of the ship between ASs and routing policies employed by ASs act
packet is spoofed, and the packet is discarded by v. to restrict the size of feasibleRðs; dÞ. Consider the example in
Fig. 1. Figs. 2a and 2b present the topological routes implied
In the context of preventing IP spoofing, an ideal packet
by the network connectivity and feasible routes constrained
filter should discard spoofed packets while allowing legit-
by routing policies between source s and destination d,
imate packets to reach the destinations. Since, even with the
respectively. In Fig. 2b, we assume that nodes a, b, c, and d
perfect routing information, the route-based packet filters
have mutual peering relationship, and that a and b are
cannot identify all spoofed packets [12], a valid packet filter
providers to s. We see that although there are 10 topological
should focus on not dropping any legitimate packets while
routes between source s and destination d, we only have two
providing the ability to limit spoofed packets. Accordingly,
feasible routes that are supported by routing policies. Of more
we define the correctness of a packet filter as follows:
importance to IDPF is that although the network topology
Definition 3 (correctness of packet filtering). A packet filter may imply that all neighbors can forward a packet allegedly
is correct if it does not discard packets with valid source from a source to a node, feasible routes constrained by routing
addresses when the routing system is stable. policies help limit the set of such neighbors. As an example,
5. 26 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 1, JANUARY-MARCH 2008
Fig. 1. An example network topology.
let us consider the situation at node d. Given that only nodes a Fig. 2. Routes between source s and destination d. (a) Topological
and b (but not c) are on the feasible routes from s to d, node d routes implied by connectivity. (b) Feasible routes constrained by routing
can infer that all packets forwarded by node c and allegedly policies.
from source s are spoofed and should be discarded.
It is clear that IDPF is less powerful than route-based Based on Lemma 1, a node can identify the feasible
packet filters [12], since the IDPFs are computed based on upstream neighbors for packet Mðs; dÞ and conduct IDPF as
feasibleRðs; dÞ instead of bestRðs; dÞ. However, feasibleU follows:
ðs; d; vÞ can be inferred from local BGP updates, whereas
Definition 5 (IDPF). Node v will accept packet Mðs; dÞ that is
bestUðs; d; vÞ cannot.
forwarded by a neighbor node u if and only if exportðu ! vÞ
4.2 Constructing IDPFs ½fbestRðu; sÞgŠ ¼ fg. Otherwise, the source address of the
6
packet must have been spoofed, and the packet should be
The following lemma summarizes the technique for
discarded by node v.
identifying the feasible upstream neighbors of node v for
packet Mðs; dÞ: 4.3 Correctness of IDPF
Lemma 1. Consider a feasible route r between source s and Theorem 2. An IDPF, as defined in Definition 5, is correct.
destination d. Let v 2 r:as path and let u be the feasible Proof. Without loss of generality, consider source s,
upstream neighbor of node v along r. When the routing system destination d, and a node v 2 bestRðs; dÞ:as path such
is stable, exportðu ! vÞ½fbestRðu; sÞgŠ 6¼ fg, assuming
that v deploys an IDPF. To prove the theorem, we need to
that all ASs follow the import and export routing policies in
establish that v will not discard packet Mðs; dÞ forwarded
Tables 1 and 2 and that each AS accepts legitimate routes
by the best upstream neighbor u along bestRðs; dÞ.
exported by neighbors.
S i n c e bestRðs; dÞ 2 candidateRðs; dÞ feasibleR
Lemma 1 states that if node u is a feasible upstream ðs; dÞ, u is also a feasible upstream neighbor of node v for
neighbor of node v for packet Mðs; dÞ, node u must have packet Mðs; dÞ. From Lemma 1, u must have exported to
exported to node v its best route to reach the source s. node v its best route to source s. That is, exportðu ! vÞ
Proof. Since Theorem 1 applies to feasible routes, a feasible ½fbestRðu; sÞgŠ 6¼ fg. From Definition 5, packet Mðs; dÞ,
route can be one of the six types of paths in Theorem 1. In which is forwarded by node u, will not be discarded by v.t u
the following, we assume that the feasible route r is of Notice that the destination address d in a packet Mðs; dÞ
type 6, that is, an uphill path followed by a peer-to-peer does not play a role in an IDPF node’s filtering decision
edge, which is followed by a downhill path. Cases where (Definition 5). By constructing filtering tables based on the
r is of types 1-5 can similarly be proved. To prove the source address alone (rather than both source and destina-
lemma, we consider the possible positions of nodes u tion addresses), the per-neighbor space complexity for an
and v in the feasible route: IDPF node is reduced from OðN 2 Þ to OðNÞ, where N ¼ jV j
Case 1. Nodes u and v belong to the uphill path. Then, is the number of nodes in the graph (the route-based
node s must be an (indirect) customer or sibling of node scheme can achieve the same complexity bound [12]).
u. From the import routing policies in Table 1 and the It is worth noting that IDPFs filter packets based on
export routing policy r1 and the definition of indirect whether the reachability information of a network prefix is
customers/siblings, we know that u will propagate to propagated by a neighbor and not on how the BGP updates
(provider) node v the reachability information of s. are propagated. As long as ASs propagate network reach-
Case 2. eðu; vÞ is the peer-to-peer edge. This case can ability information according to the rules in Tables 1 and 2,
similarly be proved as case 1 (based on the import routing IDPFs work correctly. Moreover, the effectiveness of IDPFs is
policies in Table 1 and the export routing policy r3). determined largely by the size of feasibleRðs; dÞ, which is a
Case 3. Nodes u and v belong to the downhill path. function of the (relatively static) AS relationships. Hence,
Let eðx; yÞ be the peer-to-peer edge along the feasible how the BGP updates are propagated does not affect both the
route r and note that u is an (indirect) customer of y. correctness and the performance of IDPFs. For example, the
From the proof of case 2, we know that node y learns the multiple-path advertisement supported by MIRO [28] will
reachability information of s from x. From the export not affect IDPFs’ correctness and effectiveness.
routing policy r2 and the definition of indirect custo-
mers, node y will propagate the reachability information 4.4 Routing Policy Complications
of s to node u, which will further export the reachability As discussed earlier, the import routing policies and the
information of s to (customer) node v. u
t export routing policies specified in Tables 1 and 2 are not
6. DUAN ET AL.: CONTROLLING IP SPOOFING THROUGH INTERDOMAIN PACKET FILTERS 27
Fig. 3. Automatic backup route.
Fig. 4. Conditional route advertisement.
complete. In particular, multihomed ASs may employ less
restrictive routing policies for traffic engineering or other
purposes [29]. In this section, we first present two traffic the correctness of IDPFs, as defined in Definition 5, on the
engineering examples that do not follow the import and Internet. The proof is similar to that of Lemma 1 and
export routing policies specified in Tables 1 and 2. Then, we Theorem 2, and we omit it here.
discuss how ASs that employ these special traffic engineer-
ing practices should control the forwarding of their traffic to 5 PRACTICAL DEPLOYMENT ISSUES OF IDPFS
ensure the delivery of their traffic in the IDPF framework.
In the first example (see Fig. 3), based on [27], ASs a and 5.1 Incremental Deployment
b are providers of AS s, and s has two prefixes 138.39/16 IDPFs can independently be deployed in each AS. IDPFs are
and 204.70/16. The link between a and s is used as the deployed at the border routers so that IP packets can be
primary and backup links for 138.39/16 and 204.70/16, inspected before they enter the network. By deploying
respectively, whereas the link between b and s is used in a IDPFs, an AS constrains the set of packets that a neighbor
reverse manner. To achieve this traffic engineering goal, s can forward to the AS: a neighbor can only successfully
informs a to assign the direct customer route r1 between a forward a packet Mðs; dÞ to the AS after it announces the
and s a lower local preference over the peering route r2 reachability information of s. All other packets are
learned from b to reach the network prefix 204.70/16. identified to carry spoofed source addresses and are
That is, r1 :local pref r2 :local pref. This local prefer- discarded at the border router of the AS. In the worst case,
ence assignment at node a does not follow the import even if only a single AS deploys IDPF and spoofed IP
routing policies defined in Table 1, which requires that an packets can get routed all the way to the AS in question,
AS should prefer a direct route over an indirect route using an IDPF perimeter makes it likely that spoofed
(through a peer) to reach a customer. packets will be identified and, hence, blocked at the
Now, consider the example in Fig. 4. Customer s has a perimeter. Clearly, if the AS is well connected, launching
primary provider a and a backup provider b. AS s realizes this a DDoS attack upon the perimeter itself takes a lot more
goal by using a technique called conditional route advertise- effort than targeting individual hosts and services within
ment. Prefix 138.39/16 is announced to the backup the AS. In contrast, ASs that do not deploy IDPF offer
provider b only if the link to the primary provider a fails. relatively little protection to the internal hosts and services.
This asymmetric advertisement does not follow the export Therefore, an AS has direct benefits of deploying IDPFs. In
routing policy r1 defined in Table 2, which states that a general, by deploying IDPFs, an AS can also protect other
customer will always export to its providers the routes to its ASs to which the AS transports traffic, in particular the
own prefixes. customer ASs. It can similarly be understood that an IDPF
In the examples, the customer s controls the route node limits the set of packets forwarded by a neighbor and
propagation either by manipulating the local preference of destined for a customer of the AS.
the routes in providers (see Fig. 3) or by conditional route
5.2 Handling Routing Dynamics
advertisement (see Fig. 4). As long as the customer AS does
not forward packets through the backup route while the So far, we have assumed that the AS graph is a static
primary route is still available, the IDPF architecture will structure. In reality, the graph changes, triggering the
not discard any valid packets. This requirement is not hard generation of BGP updates and altering the paths that ASs
to meet, since the customer controls both the route use in reaching each other. In this section, we examine how
propagation and traffic delivery. The same observation routing dynamics affects the operation of IDPFs. We
applies to other cases when the routing policies specified in consider two different types of routing dynamics: 1) those
Tables 1 and 2 are not followed. We have the following caused by network failures and 2) those caused by the
restricted traffic forwarding policy for the ASs that do not creation of a new network (or recovery from a fail-down
follow the routing policies specified in Tables 1 and 2. network event). Routing dynamics caused by routing policy
Restricted traffic forwarding policy. If an AS does not changes can similarly be addressed, and we omit them here.
follow the import and export routing policies in Tables 1 IDPFs are completely oblivious to the specifics of the
and 2, as long as the primary route is available, the AS announced routes. Following a network failure, the set of
should not forward traffic along other (backup) routes. feasible upstream neighbors will not admit more members
If each AS on the Internet follows the import routing during the period of routing convergence, assuming that AS
policies in Table 1 and the export routing policies in Table 2 relationships are static, which is true in most cases. Hence, for
or the restricted traffic forwarding policy, we can establish the first type of routing dynamics (network failure), there is
7. 28 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 1, JANUARY-MARCH 2008
no possibility that the filters will block a valid packet. We behavior. Due to this property, IDPF is most effective when
illustrate this as follows: Consider an IDPF-enabled AS v that different ASs own nonoverlapping prefixes. For example, let s
is on the best route from s to d. Let u ¼ bestUðs; d; vÞ and be 1.2/16. Then, all ASs along the path from s to d can spoof
U ¼ feasibleUðs; d; vÞ. A link or router failure between u and this prefix. Now, if there is a more specific address s0 ¼
s can have three outcomes: 1) AS u can still reach AS s, and u is 1:2:3=24 somewhere in the network, all these ASs can now also
still chosen to be the best upstream neighbor for packet spoof s0 , since a more specific prefix also matches a more
Mðs; dÞ, that is, u ¼ bestUðs; d; vÞ. In this situation, although general prefix. This situation does not happen when prefixes
u may explore and announce multiple routes to v during the are not overlapped. Hence, statistically, IDPF is more effective
path exploration process [30], the filtering function of v is when prefixes are not overlapped. However, due to the
ubiquitous use of classless addressing, that is, CIDR [31], the
unaffected. 2) AS u is no longer the best upstream neighbor for
prefixes owned by different ASs may overlap. The effect of
packet Mðs; dÞ, and another feasible upstream neighbor u0 2
overlapping prefixes will be studied in the next section.
U can reach AS s and is instead chosen to be the new best
upstream neighbor (for Mðs; dÞ). Now, both u and u0 may
explore multiple routes; however, since u0 has already 6 PERFORMANCE STUDIES
announced a route (about s) to v, the IDPF at v can correctly In this section, we first discuss the objectives of our
filter (that is, accept) packet Mðs; dÞ, which is forwarded from performance studies and the corresponding performance
u0 . 3) No feasible upstream neighbors can reach s. Conse- metrics. We then describe the data sets and specific settings
quently, AS v will also not be able to reach s, and v will no used in the simulation studies. Finally, detailed results
longer be on the best route between s and d. No new packet obtained from simulations are presented.
Mðs; dÞ should be sent through v.
The other concern of routing dynamics relates to how a 6.1 Objectives and Metrics
newly connected network (or a network recovered from a We evaluate the effectiveness of IDPFs in controlling IP
fail-down event) will be affected. In general, a network may spoofing-based DDoS attacks from two complementary
start sending data immediately following the announcement perspectives [12]. First, we wish to understand how effective
of a (new) prefix, even before the route has had time to the IDPFs are in proactively limiting the capability of an
propagate to the rest of the Internet. During the time that the attacker to spoof addresses of ASs other than its own. IDPFs
route should be propagated, packets from this prefix may be do not provide complete protection, and spoofed packets
discarded by some IDPFs if the reachability information has may still be transmitted. Thus, the complementary reactive
not propagated to them. However, the mitigating factor here view is also important. We study how the deployed IDPFs
is that in contrast to the long convergence delay that follows can improve IP traceback effectiveness by localizing the
failure, reachability for the new prefix will be distributed far actual source of spoofed packets. Since the (incremental)
more speedily. In general, the time taken for such new prefix deployment of IDPFs directly affects the effectiveness,
information to reach an IDPF is proportional to the shortest various deployment scenarios are considered. The last
AS path between the IDPF and the originator of the prefix and dimension of our simulation studies concerns the issue of
independent of the number of alternate paths between the incentive, that is, how an individual AS will benefit from
deploying IDPF on its routers.
two. Previous work has established this bound to be OðLÞ,
We use the performance metrics introduced in [12] in our
with L being the diameter of the AS graph [30]. We believe
study. Given any pair of ASs, say, a and t, Sa;t is the set of ASs
that in this short timescale, it is acceptable for IDPFs to
from which an attacker in AS a can forge addresses to attack t.
potentially incorrectly behave (discarding valid packets). It
For any pair of ASs, s and t, Cs;t is the set of ASs from which
must be noted that during BGP route convergence periods,
attackers can attack t by using addresses that belong to s,
without IDPF, BGP can also drop packets. One alternative without such packets being filtered before they reach t.
solution is to allow a neighbor to continue forwarding packets To establish a contrast, consider that Sa;t quantifies the
from a source within a grace period, after the corresponding pool of IP addresses that may be forged by an attacker in a to
network prefix has been withdrawn by the neighbor. In this send packets to t without being stopped. On the other hand,
case, during this short period, IDPFs may fail to discard Cs;t is defined from the victim’s perspective. This quantifies
spoofed attack packets. However, given that most DDoS the size of the set of ASs that can forge an address belonging
attacks require a persistent train of packets to be directed at a to s in sending packets to t without being discarded along
victim, not discarding spoofed packets for this short period of the way. Thus, the latter is a measure of the effort required at
time should be acceptable. We plan to further investigate the AS t to trace the packets to the actual source (there are jCs;t j
related issues in the future. locations from which the packet could have originated).
In short, IDPFs can handle the routing dynamics caused
by network failures, which may cause long route conver- 6.1.1 Proactive Prevention Metrics
gence times. IDPFs may, however, drop packets in the
Given the AS graph G ¼ ðV ; EÞ, we define the prevention
network recovery events. We argue that this is not a big
metric from the point of view of the victim as follows:
problem, since 1) the network recovery events typically
have a short convergence time and 2) such events can also jft : 8a 2 V ; jSa;t j gj
cause service disruptions in the original BGP without IDPF. V ictimF ractionðÞ ¼ :
jV j
5.3 Overlapping Prefixes V ictimF ractionðÞ, which is redefined from [12], denotes
In the IDPF architecture, all ASs along the path from s to d can the proportion of ASs that satisfy the following property
spoof the source address of s and reach d without being that if an arbitrary attacker intends to generate spoofed
filtered out. The route-based packet filtering has a similar packets, it can successfully use the IP addresses of at most
8. DUAN ET AL.: CONTROLLING IP SPOOFING THROUGH INTERDOMAIN PACKET FILTERS 29
ASs (note that this includes the attacker’s own AS). Thus, TABLE 3
V ictimF ractionðÞ represents the effectiveness of IDPFs in Graphs Used in the Performance Studies
protecting ASs against spoofing-based DDoS attacks, that is,
the fraction of ASs that can be attacked by attackers who
can spoof addresses of at most networks. For instance,
V ictimF ractionð1Þ, which should be read as the fraction of
ASs that can be attacked with packets from at most one AS,
describes the immunity to all spoofing-based attacks.
Next, we define a metric from the attacker’s perspective.
Given G ¼ ðV ; EÞ, AttackF ractionðÞ, as defined in [12], 6.2 Data Sets
describes the fraction of ASs from which an attacker can In order to evaluate the effectiveness of IDPFs, we construct
forge addresses belonging to at most ASs (including the four AS graphs from the BGP data archived by the Route
attacker’s own) in attacking any other ASs in the graph: Views Project [33]. The first three graphs, denoted G2003 , G2004 ,
and G2005 , are constructed from single routing table snapshots
jfa : 8t 2 V ; jSa;t j gj (taken from the first day of each of the years). Although these
AttackF ractionðÞ ¼ : provide an indication of the evolutionary trends in the growth
jV j
of the Internet AS graph, they offer only a partial view of the
Intuitively, AttackF ractionðÞ is the strength of IDPFs in existing connectivity [14]. In order to obtain a more
limiting the spoofing capability of an arbitrary attacker. For comprehensive picture, similar to [34], we construct G2004c
instance, AttackF ractionð1Þ quantifies the fraction of ASs by combining G2003 and an entire year of BGP updates between
from which an attacker cannot spoof any address other than G2003 and G2004 . Note that the Slammer worm attack [35],
its own. which caused great churn of the Internet routing system,
occurred during this period of time. This had the side effect of
6.1.2 Reactive IP Traceback Metrics exposing more edges and paths than would normally be
To evaluate the effectiveness of IDPFs in reducing the IP visible.1 It is worth pointing out that, even with this effort, the
traceback effort, that is, the act of determining the true origin AS graphs that we constructed still may only represent a
of spoofed packets, V ictimT raceF ractionðÞ is defined in partial view of the Internet AS-level topology and may not
[12], which is the proportion of ASs being attacked that can capture all the feasible routes between a pair of source and
localize the true origin of an attack packet to be within ASs: destination. Thus, we may overestimate the performance of
IDPFs, especially for G2003 , G2004 , and G2005 .
jft : 8s 2 V ; jCs;t j gj Table 3 summarizes the properties of the four graphs. In
V ictimT raceF ractionðÞ ¼ : this table, we enumerate the number of nodes, edges, and
jV j
AS paths that we could extract from the data sets. We also
For instance, V ictimT raceF ractionð1Þ is simply the fraction include the size of the vertex cover (VC) for the graph
of ASs, which, when attacked, can correctly identify the corresponding to individual data sets (the construction will
(single) source AS from which the spoofed packet was be described later). In Table 3, we see that G2004c has about
originated. 22,000 more edges or a 65.9 percent increase compared to
G2004 . In addition, the number of observed AS paths in
6.1.3 Incentives to Deploy IDPF G2004c is an order of magnitude more than the observed
To formally study the gains that ASs might accrue paths in the G2004 data.
by deploying IDPFs on their border routers, we
introduce a related set of metrics: V ictimF ractionIDP F ðÞ,
6.2.1 Inferring Feasible Upstream Neighbors
AttackF ractionIDP F ðÞ, and V ictimT raceF ractionIDP F ðÞ. In order for each AS to determine the feasible upstream
neighbors for packets from source to destination, we also
Let T denote the set of ASs that support IDPFs:
augment each graph with the corresponding AS paths used
jft 2 T : 8a 2 V ; jSa;t j gj for constructing the graph [33]. We infer the set of feasible
V ictimF ractionIDP F ðÞ ¼ ; upstream neighbors for a packet at an AS as follows: In
jT j
general, if we observe an AS path hvk ; vkÀ1 ; . . . ; v0 i associated
jfa 2 V : 8t 2 T ; jSa;t j gj
AttackF ractionIDP F ðÞ ¼ ; with prefix P , we take this as an indication that vi announced
jV j the route for P to viþ1 , that is, vi 2 feasibleUðP ; viþ1 Þ,
jft 2 T : 8s 2 V ; jCs;t j gj i ¼ 0; 1; . . . ; k À 1.
V ictimT raceF ractionIDP F ðÞ ¼ :
jT j
6.2.2 Determining Routes between Two Nodes
Note that these are similar to the metrics defined
Given an AS graph G ¼ ðV ; EÞ and a subset of nodes T V
earlier, that is, V ictimF ractionðÞ, AttackF ractionðÞ, and that deploy the IDPFs, the route that a packet takes from
V ictimT raceF ractionðÞ, respectively. However, we re- source node s to destination node t will determine the IDPFs
strict the destinations to the set of IDPF-enabled ASs that the packet will encounter on the way. Consequently, in
rather than the entire population of ASs. order to compute the described performance metrics, we require the
Note also that V ictimF ractionðÞ, AttackF ractionðÞ,
and V ictimT raceF ractionðÞ correspond to 1 ðÞ, 2 ðÞ, 1. Given the lengthy period over which we applied the updates, it is
likely that our AS graph includes “stale edges,” that is, edges that no longer
and 1 ðÞ in [32], respectively. We rename them to facilitate exist. We ignore this effect in our study, noting that AS relationships are
easier understanding. quite stable and, thus, the number is likely to be very small.
9. 30 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 1, JANUARY-MARCH 2008
exact routes that will be taken between any pairs of nodes. spoofing-based attack on the Internet (assuming that
Unfortunately, there is simply no easy way to accurately get no overlapping prefixes are announced). Moreover,
this knowledge. In this paper, as a heuristic, we simply use the with the same configuration, the AS under attack can
shortest path on G. When there are multiple candidates, we localize the true origin of an attack packet to be within
arbitrarily select one of them. As a consequence, in addition to 28 ASs, thus greatly reducing the effort of IP traceback.
AS paths, we also include the selected shortest path as a In this summary, unless specified otherwise, all
feasible route if it has not been described in the routing example data are based on the VC IDPF coverage on
updates observed. Note that this knowledge, that is, the best the 2004c data set, with the assumptions that IDPF
path from an AS to another, is only required in the simulation nodes are also capable of ingress filtering and that
studies to determine the IDPFs that a packet may encounter on there are no overlapping prefixes.
the way from the source to the destination. It is not required in . The placement of IDPFs plays a key role in the
the construction of the IDPFs. Note also that due to the way that effectiveness of IDPFs in controlling spoofing-based
feasible neighbors are computed, the effectiveness of IDPFs attacks. It is much more effective in deploying IDPFs
may artificially be inflated, since the set of feasible neighbors on ASs with high connectivity (such as tier-1 ISPs)
of a node in our simulations is a subset of feasible neighbors of than deploying IDPFs on random ASs. For example,
the node in reality (with the complete Internet topology). deploying IDPFs on 5 percent of ASs selected by the
Top method is more effective than deploying IDPFs
6.2.3 Selecting IDPF Nodes on 30 percent of ASs selected by the Rnd method in
Given a graph G ¼ ðV ; EÞ, the effectiveness of IDPF heavily all of the three performance metrics.
depends on the filter set, that is, nodes in V for supporting . In comparison to constructing filters with precise
IDPF. We consider two methods for selecting IDPF nodes, routing information, constructing filters with BGP
which represents two ways that IDPFs can incrementally be updates does not significantly degrade the IDPF
deployed. In the first method, denoted as T op, we aggres- performance in limiting spoofed packets. However,
sively select the nodes with the highest degree to deploy the IDPF traceback capability is substantially af-
IDPF. A special case of this method, denoted as V C, is fected. For example, the number of nodes that
selecting the IDPF nodes until a V C of G is formed. The cannot launch any spoofing-based attacks drops
number of nodes for forming the V C for each data set is from 84 percent to 80 percent (a slight decrease),
shown in Table 3. In the second method, denoted as Rnd, we whereas the number of ASs that an AS can pinpoint
randomly (uniformly) choose the nodes from V until a as the potential true origin of an attack packet
desirable proportion of nodes are chosen. We will use the increases from 7 to 28 (a fairly large increase).
notions RndX and T opX to denote the selection of X percent . Overlapping prefixes have a detrimental effect on the
of all nodes for deploying IDPFs using the Rnd and T op performance of IDPFs. However, IDPFs still work
methods, respectively. For example, Rnd30 represents reasonably well with overlapping prefixes announced
selecting 30 percent of nodes to be IDPF nodes using the on the Internet. For example, in this case, an attacker in
Rnd method. Note that ASs with high degrees are normally about 50 percent of the ASs cannot launch any
Internet service providers. In particular, tier-1 service spoofing-based attacks, and for the majority of attack
providers normally have higher degrees than others. There- packets, the AS under attack can pinpoint the true
fore, the T op method will likely select tier-1 nodes first. Given origin to be within 79 ASs.
that the majority of AS paths traverse tier-1 providers, filters . Network ingress filtering [25] helps improve the
deployed at tier-1 providers (or ASs with higher degrees) are performance of IDPFs. However, even without net-
more effective in detecting spoofed traffic. On the other hand, work ingress filtering, IDPF is still effective. For
the Rnd method may represent a more realistic IDPF example, an attacker still cannot launch any spoof-
deployment scenario, where ASs decide whether to deploy ing-based attacks from within more than 60 percent of
IDPF independently. ASs. Moreover, the AS under attack can localize the
true origin of an attack packet to be within 87 ASs.
6.3 Results of Performance Studies
Next, we will present the experimental results. In all
The studies are performed with the Distributed Packet Filtering experiments, except for the ones in Section 6.3.5, we assume
(dpf) simulation tool [12]. We extended dpf to support our own that ASs that deploy IDPFs, being security conscious and
filter construction based on BGP updates and to deal with network savvy, also implement network ingress filtering [25].
overlapping prefixes. We evaluated the performance of IDPFs
by using the three performance metrics (V ictimF ractionðÞ, 6.3.1 IDPFs with BGP Updates and Nonoverlapping
AttackF ractionðÞ, and V ictimT raceF ractionðÞ) under dif-
Prefixes
ferent situations. In addition, we also studied the impact of
using BGP updates instead of precise routing information to To begin with, we study the performance of IDPFs with
construct packet filters, investigated the effect of overlapping BGP updates and nonoverlapping prefixes. Fig. 5 shows the
prefixes in the Internet, and considered IDPFs with and results on G2004c with different IDPF node coverages,
without network ingress filtering. Before we describe the whereas Fig. 6 shows the results of the IDPF VC coverage
simulation results in detail, we briefly summarize the salient on different data sets.
findings: Fig. 5a presents the values of V ictimF ractionðÞ for three
different ways of selecting the IDPF node on the G2004c
. IDPFs can significantly limit the spoofing capability of graph: V C and random covers (Rnd50 and Rnd30). Note
an attacker. For example, with the V C IDPF coverage that V ictimF ractionðÞ indicates the proportion of nodes
on the 2004c data set, an attacker in more than that may be attacked by an attacker that can spoof the IP
80 percent of ASs cannot successfully launch any addresses of at most nodes. As discussed earlier, IDPFs
10. DUAN ET AL.: CONTROLLING IP SPOOFING THROUGH INTERDOMAIN PACKET FILTERS 31
Fig. 5. Results for G2004c with different IDPF node coverages. (a) V ictimF ractionðÞ. (b) AttackF ractionðÞ. (c) V ictimT raceF ractionðÞ.
Fig. 6. Results for G2003 , G2004 , G2004c , and G2005 with the VC coverage. (a) V ictimF ractionðÞ. (b) AttackF ractionðÞ. (c) V ictimT raceF ractionðÞ.
cannot completely protect ASs from spoofing-based attacks. Rnd30 and Rnd50, the ability of nodes to pinpoint the true
Hence, we focus on its ability to limit the spoofing capability origin is greatly reduced. In Fig. 6c, we also see that G2003 ,
of attackers. Fig. 5a shows that IDPF is effective in G2004 , and G2005 can all pinpoint the true origin of attack
controlling V ictimF ractionðÞ, especially with the IDPF packets to be within 10 nodes. However, it is important to
VC coverage. The figure shows that the placement of IDPFs note that such graphs are less complete representations of
plays a key role in the effectiveness of IDPFs in controlling the Internet topology compared to G2004c . Nonetheless, the
spoofing-based attacks. For example, with only 17.8 percent trend in the results for G2003 , G2004 , and G2005 is quite similar
of nodes supporting IDPFs, V C outperforms both Rnd30 to that in the results for G2004c . In the rest of this section, we
and Rnd50, although they recruit a larger number of nodes will mostly show results for G2004c , since this data set is
that support IDPFs. In general, it is more preferable for more complete than others.
nodes with large degrees (such as big ISPs) to deploy IDPFs. Figs. 7 and 8 show the performance as functions of the
Fig. 6a shows V ictimF ractionðÞ for the graphs from 2003 percentages of IDPF nodes selected with the T op and Rnd
to 2005 (including G2004c ) with the V C coverage. We see that methods, respectively. As expected, in both cases, the
overall, similar trends hold for all the years examined. effectiveness of IDPF increases as a larger number of nodes
However, it is worth noting that G2004c performs worse than deploy IDPF. However, these two figures show that the T op
method is significantly more effective than the Rnd scheme,
G2004 . This is because G2004c contains more edges and more
which strongly argues for the deployment of IDPFs in large
AS paths by incorporating one-year BGP updates.
ISPs with more connectivity. As shown in the figures, even
AttackF ractionðÞ illustrates how effective IDPFs are in
with being deployed only on 1 percent of the most connected
limiting the spoofing capability of attackers. In particular, nodes, IDPFs can significantly limit the spoofing capability of
AttackF ractionð1Þ is the proportion of nodes from which an the attackers and increase the traceback accuracy. Moreover,
attacker cannot launch any spoofing-based attacks against the performance of IDPFs with 5 percent of all the nodes
any other nodes. Fig. 5b shows that IDPFs are very effective selected by the T op method is never worse than that with
in this regard. For G2004c , AttackF ractionð1Þ ¼ 80:8 percent, 30 percent of all the nodes selected by the Rnd method in
59.2 percent, and 36.2 percent for V C, Rnd50, and Rnd30, terms of all of the three performance metrics. When the IDPF
respectively. Similar trends hold for all the years examined nodes are randomly selected, they can still significantly limit
(see Fig. 6b). This indicates that IDPFs are very effective in the spoofing capability (see Fig. 8b).
limiting the spoofing capability.
Recall that V ictimT raceF ractionðÞ indicates the propor- 6.3.2 Impacts of Precise Routing Information
tion of nodes that, under attack by packets with a source IP In this section, we study the impact of the precise global
address, can pinpoint the true origin of the packets to be routing information on the performance of IDPFs. The goal is
within at most nodes. Fig. 5c shows that all nodes can to determine the performance difference between IDPFs and
localize the true origin of an arbitrary attack packet to be the ideal route-based packet filters [12] with precise global
within a small number of candidate nodes (28 nodes; see routing information. Notice that in a sense, SAVE [22] is a
Fig. 6c) for the V C coverage. For the other two, that is, way to realize route-based packet filtering on the Internet. Its
11. 32 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 1, JANUARY-MARCH 2008
Fig. 7. The T op method with different percentages of IDPF nodes. (a) V ictimF ractionðÞ. (b) AttackF ractionðÞ. (c) V ictimT raceF ractionðÞ.
Fig. 8. The Rnd method with different percentages of IDPF nodes. (a) V ictimF ractionðÞ. (b) AttackF ractionðÞ. (c) V ictimT raceF ractionðÞ.
packet filtering performance should be close to route-based the precise routing information, there are still about
packet filtering with precise global routing information. As 80 percent of ASs where an attacker cannot launch any such
discussed in Section 6.2.2, we use the shortest path on the AS attacks by solely relying on the BGP update information.
graph for a given pair of source and destination to However, the traceback ability is more significantly affected.
approximate the precise route between the pair. As shown By only relying on the BGP update information, an arbitrary
in Fig. 9, the availability of the precise routing information AS can still pinpoint the true origin of an attack packet to be
between any pair of source and destination only slightly within 28 ASs compared to 7 if precise global routing
improves the AttackF ractionðÞ of IDPFs in comparison to information is available.
the case where BGP update information is used. For example, Figs. 10 and 11 show the results when the IDPF nodes are
although about 84 percent of nodes cannot be used by selected with the T op and Rnd methods, respectively. For both
attackers to launch any spoofing-based attacks by relying on IDPF node selection schemes, the precise routing information
(versus BGP updates) has little impact on AttackF raction and
has significant impact on V ictimT raceF raction. These results
indicate that using local BGP updates does not significantly
affect the IDPFs’ ability to limit the spoofing capability of
attackers but may affect the traceback accuracy. This conclu-
sion applies to both T op and Rnd deployment scenarios.
6.3.3 Impacts of Overlapping Prefixes
Fig. 12 shows the impact of overlapping prefixes. In Fig. 12a,
we see that overlapping prefixes only have a relatively
Fig. 9. Precise routing information versus BGP update information
(G2004c , VC).
Fig. 10. The T op method with different percentages of IDPF nodes. Fig. 11. The Rnd method with different percentages of IDPF nodes.
(a) AttackF ractionðÞ. (b) V ictimT raceF ractionðÞ. (a) AttackF ractionðÞ. (b) V ictimT raceF ractionðÞ.
12. DUAN ET AL.: CONTROLLING IP SPOOFING THROUGH INTERDOMAIN PACKET FILTERS 33
Fig. 12. Impact of overlapping prefixes (G2004c ,VC; note that scales are different). (a) AttackF ractionðÞ. (b) V ictimT raceF ractionðÞ.
(c) V ictimT raceF raction99 ðÞ.
Fig. 13. The T op method with different percentages of IDPF nodes. (a) AttackF ractionðÞ. (b) V ictimT raceF ractionðÞ.
(c) V ictimT raceF raction99 ðÞ.
Fig. 14. The Rnd method with different percentages of IDPF nodes. (a) AttackF ractionðÞ. (b) V ictimT raceF ractionðÞ.
(c) V ictimT raceF raction99 ðÞ.
moderate impact on limiting the spoofing capability of packet to be within ASs. Fig. 12c presents the values of
attackers. For example, an attacker of about 50 percent nodes V ictimT raceF raction99 ðÞ. In this figure, we see that for more
cannot spoof IP addresses of any other nodes. Fig. 12b than 99 percent of IP addresses of attack packets, a node can
demonstrates that overlapping prefixes may significantly pinpoint the true origin to be within 79 nodes.
affect the ability of nodes to pinpoint the true origin of an Figs. 13 and 14 show the results when the IDPF nodes
attack packet. However, we speculate that this is caused by are selected with the T op and Rnd methods, respectively.
ISPs that announce less specific prefixes that contain more For the T op method, overlapping prefixes slightly
specific prefixes announced by other ASs. To verify this, we affect AttackF ractionðÞ but may significantly change
introduce another metric V ictimT raceF raction99 ðÞ, which V ictimT raceF ractionðÞ. For example,
is defined with respect to 99 percent of jCs;t j. Formally, V ictimT raceF ractionð1000Þ
99
V ictimT raceF raction ðÞ changes from 100 percent with nonoverlapping prefixes to
jft : 8s 2 V ; P ðjCs;t j Þ ¼ 99%gj 0 percent with overlapping prefixes for all the percentages
¼ : plotted in Fig. 13. For the Rnd method, as shown in Fig. 14, the
jV j
impact on AttackF raction is negligible, whereas the impact
V ictimT raceF raction99 ðÞ can be interpreted as follows: on V ictimT raceF raction is significant. These results are in
For an attack packet with an arbitrary IP source address, with line with the results for the VC coverage, which indicates that
a 99 percent probability, we can pinpoint the true origin of the the conclusion applies to both IDPF node selection schemes.
13. 34 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 1, JANUARY-MARCH 2008
Fig. 15. Deployment incentives (G2004c , Rnd5). (a) V ictimF ractionIDP F ðÞ versus V ictimF ractionðÞ. (b) V ictimT raceF ractionIDP F ðÞ versus
V ictimT raceF ractionðÞ. (c) AttackF ractionIDP F ðÞ versus AttackF ractionðÞ.
Fig. 16. Deployment incentives (G2004c , Rnd30). (a) V ictimF ractionIDP F ðÞ versus V ictimF ractionðÞ. (b) V ictimT raceF ractionIDP F ðÞ versus
V ictimT raceF ractionðÞ. (c) AttackF ractionIDP F ðÞ versus AttackF ractionðÞ.
6.3.4 Deployment Incentives 6.3.5 IDPFs with and without Network Ingress Filtering
This section studies the incentives for an AS to deploy IDPFs. So far, we have assumed that networks supporting IDPFs
The deployment incentive is the key factor that is responsible also employ network ingress packet filtering [25]. In this
for the slow deployment of network ingress filtering. Figs. 15 section, we examine the implications of this assumption.
and 16 show the incentive for an AS to deploy IDPFs: the ASs In Fig. 17, we can see that ingress packet filtering indeed has
that deploy IDPFs are better protected than those that do not an impact on the effectiveness of IDPFs in limiting the
deploy IDPFs. Fig. 15 shows the results when only 5 percent of
spoofing capability of attackers. However, without network
all nodes (randomly selected) deploy IDPFs, whereas Fig. 16
shows the results when 30 percent of all nodes are IDPF ingress filtering, we still have more than 60 percent of nodes
nodes. We show the values of V ictimF ractionIDP F ðÞ (the from which an attacker cannot launch any spoofing-based
curve marked with IDPF Nodes) and V ictimF ractionðÞ attacks, as compared to 80 percent when ingress filtering is
(marked with All Nodes). In Figs. 15 and 16, we see that in enabled at nodes supporting IDPFs. As shown in Fig. 18, the
the Rnd30 (Fig. 16) case although only about 5 percent of all impact of network ingress filtering on the effectiveness of
nodes on the Internet cannot be attacked by attackers that can
IDPFs in terms of reactive IP traceback is not very large.
spoof IP addresses of more than 6,000 nodes, this percentage
increases to higher than 11 percent among the nodes that Without ingress filtering, an arbitrary node can pinpoint the
support IDPFs. Moreover, as the value of increases, the true origin of an attack packet to be within 87 nodes, as
difference between the two enlarges. Similarly, although only compared to 28 when networks supporting IDPFs also
about 18 percent of all nodes on the Internet can pinpoint the employ ingress filtering. We have also performed simulations
true origin of an attack packet to be within 5,000 nodes, more with different IDPF node selection schemes, and the trend in
than 33 percent of nodes that support IDPFs can do so the results is similar to those displayed in Figs. 17 and 18.
(Fig. 16b). Comparing Figs. 15 and 16, we can see that the
relative benefit for deploying IDPF is larger when a smaller
number of nodes deploy IDPFs: there is more incentive to
deploy IDPFs when a smaller number of ASs in the Internet
are IDPF nodes.
Figs. 15c and 16c compare the spoofing capability of
attackers in attacking a general node on the Internet and
that support IDPFs. We see that networks supporting IDPFs
only gain slightly in this perspective. This can be under-
stood by noting that by deploying IDPFs, an AS protects not
only itself but also those to whom the AS transports traffic. Fig. 17. IDPF with and without ingress filtering (G2004c , VC).
14. DUAN ET AL.: CONTROLLING IP SPOOFING THROUGH INTERDOMAIN PACKET FILTERS 35
[7] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Practical
Network Support for IP Traceback,” Proc. ACM SIGCOMM
Computer Comm. Rev., vol. 30, no. 4, Oct. 2000.
[8] P. Watson, “Slipping in the Window: TCP Reset Attacks,” Proc.
Fifth CanSecWest/core04 Conf., 2004.
[9] J. Stewart, “DNS Cache Poisoning—The Next Generation,”
technical report, LURHQ, Jan. 2003.
[10] V. Paxson, “An Analysis of Using Reflectors for Distributed
Denial-of-Service Attacks,” ACM Computer Comm. Rev., vol. 31,
no. 3, July 2001.
Fig. 18. IDPF with and without ingress filtering (G2004c , VC). [11] ”CERT Advisory ca-1996-21 TCP SYN Flooding and IP Spoofing
Attacks,”CERT, http://www.cert.org/advisories/CA-1996-
21.html, 1996.
7 CONCLUSION [12] K. Park and H. Lee, “On the Effectiveness of Route-Based Packet
In this paper, we have proposed and studied an IDPF Filtering for Distributed DoS Attack Prevention in Power-Law
architecture as an effective countermeasure to the IP spoof- Internets,” Proc. ACM SIGCOMM, Aug. 2001.
[13] Y. Rekhter and T. Li, “A Border Gateway Protocol 4 (BGP-4),” RFC
ing-based DDoS attacks. IDPFs rely on BGP update messages 1771, Mar. 1995.
exchanged on the Internet to infer the validity of source [14] L. Gao, “On Inferring Autonomous System Relationships in the
address of a packet forwarded by a neighbor. We showed that Internet,” IEEE/ACM Trans. Networking, vol. 9, no. 6, Dec. 2001.
IDPFs can easily be deployed on the current BGP-based [15] L. Gao and J. Rexford, “Stable Internet Routing without Global
Coordination,” IEEE/ACM Trans. Networking, vol. 9, no. 6, Dec.
Internet routing architecture. We studied the conditions 2001.
under which the IDPF framework can correctly work without [16] G. Huston, “Interconnection, Peering and Settlements: Part I,” The
discarding any valid packets. Our simulation results showed Internet Protocol J., Mar. 1999.
that, even with partial deployment on the Internet, IDPFs can [17] F. Baker, “Requirements for IP Version 4 Routers,” RFC 1812, June
significantly limit the spoofing capability of attackers. More- 1995.
[18] “Unicast Reverse Path Forwarding Loose Mode,”Cisco Systems,
over, they also help pinpoint the true origin of an attack http://www.cisco.com/univercd/cc/td/doc/product/software/
packet to be within a small number of candidate networks, ios122/122newf%t/122t/122t13/ft_urpf.pdf, 2007.
thus simplifying the reactive IP traceback process. [19] C. Jin, H. Wang, and K. Shin, “Hop-Count Filtering: An Effective
Defense against Spoofed DDoS Traffic,” Proc. 10th ACM Conf.
Computer and Comm. Security, Oct. 2003.
ACKNOWLEDGMENTS [20] A. Yaar, A. Perrig, and D. Song, “Pi: A Path Identification
Mechanism to Defend against DDoS Attacks,” Proc. IEEE Symp.
The authors would like to thank Kihong Park, Heejo Lee, Security and Privacy, May 2003.
and Ali Selcuk for providing the dpf simulation tool. They [21] A. Yaar, A. Perrig, and D. Song, “StackPi: New Packet Marking
and Filtering Mechanisms for DDoS and IP Spoofing Defense,”
also thank the Oregon Route Views Project for making BGP IEEE J. Selected Areas in Comm., vol. 24, no. 10, Oct. 2006.
routing tables and updates publicly available. Z. Duan was [22] J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang, “Save: Source
supported in part by the US National Science Foundation Address Validity Enforcement Protocol,” Proc. IEEE INFOCOM,
June 2002.
(NSF) Grant CCF-0541096. Y. Xin was supported in part by
[23] A. Bremler-Barr and H. Levy, “Spoofing Prevention Method,”
NSF Grants ANI-0106706, CCR-0208892, CCF-0342540, and Proc. IEEE INFOCOM, Mar. 2005.
CCF-0541096. J. Chandrashekar was supported in part by [24] X. Liu, X. Yang, D. Wetherall, and T. Anderson, “Efficient and
NSF Grants ITR-0085824 and CNS-0435444, and a Cisco Secure Source Authentication with Packet Passport,” Proc. Second
Usenix Workshop Steps to Reducing Unwanted Traffic on the Internet
URP Grant. Any opinions, findings, and conclusions or (SRUTI ’06), July 2006.
recommendations expressed in this paper are those of the [25] P. Ferguson and D. Senie, Network Ingress Filtering: Defeating Denial
authors and do not necessarily reflect the views of US NSF of Service Attacks Which Employ IP Source Address Spoofing, RFC
or Cisco Systems. A preliminary version of this paper 2267, Jan. 1998.
[26] “The Team Cymru Bogon Route Server Project,”Team Cymru,
appeared in the Proceedings of the IEEE INFOCOM 2006 with http://www.cymru.com/BGP/bogon-rs.html, 2007.
the title “Constructing Inter-Domain Packet Filters to [27] J. Stewart, BGP4: Inter-Domain Routing in the Internet. Addison-
Control IP Spoofing Based on BGP Updates.” Wesley, 1999.
[28] W. Xu and J. Rexford, “Miro: Multi-Path Interdomain Routing,”
SIGCOMM Computer Comm. Rev., vol. 36, no. 4, Oct. 2006.
[29] L. Gao, T. Griffin, and J. Rexford, “Inherently Safe Backup Routing
REFERENCES with BGP,” Proc. IEEE INFOCOM, 2001.
[1] ICANN SSAC Advisory SAC008 DNS Distributed Denial of Service [30] J. Chandrashekar, Z. Duan, Z.-L. Zhang, and J. Krasky, “Limiting
(DDoS) Attacks, Mar. 2006. Path Exploration in BGP,” Proc. IEEE INFOCOM, Mar. 2005.
[2] C. Labovitz, D. McPherson, and F. Jahanian, “Infrastructure [31] V. Fuller, T. Li, J. Yu, and K. Varadhan, “Classless Inter-Domain
Attack Detection and Mitigation,” Tutorial, Proc. ACM SIGCOMM, Routing (CIDR): An Address Assignment and Aggregation
Aug. 2005. Strategy,” RFC 1519, Sept. 1993.
[3] R. Beverly and S. Bauer, “The Spoofer Project: Inferring the Extent [32] Z. Duan, X. Yuan, and J. Chandrashekar, “Constructing Inter-
of Internet Source Address Filtering on the Internet,” Proc. First Domain Packet Filters to Control IP Spoofing Based on BGP
Usenix Steps to Reducing Unwanted Traffic on the Internet Workshop, Updates,” Proc. IEEE INFOCOM, Apr. 2006.
July 2005. [33] “Route Views Project,” Univ. of Oregon, http://www.routeviews.
[4] S. Kandula, D. Katabi, M. Jacob, and A. Berger, “Botz-4-Sale: org/, 2007.
Surviving Organized DDoS Attacks that Mimic Flash Crowds,” [34] X. Dimitropoulos, D. Krioukov, and G. Riley, “Revisiting Internet
Proc. Second Symp. Networked Systems Design and Implementation, As-Level Topology Discovery,” Proc. Sixth Int’l Workshop Passive
2005. and Active Measurement, Mar. 2005.
[5] D. Moore, C. Shannon, D. Brown, G. Voelker, and S. Savage, [35] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N.
“Inferring Internet Denial-of-Service Activity,” ACM Trans. Weaver, “Inside the Slammer Worm,” Proc. IEEE Symp. Security
Computer Systems, vol. 24, no. 2, May 2006. and Privacy, 2003.
[6] R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson,
“Characteristics of Internet Background Radiation,” Proc. ACM
Internet Measurement Conf., Oct. 2004.
15. 36 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 1, JANUARY-MARCH 2008
Zhenhai Duan (S ’97-M ’03) received the BS Xin Yuan (M’98) received the BS and MS
degree in computer science from Shandong degrees in computer science from Shanghai
University, China, in 1994, the MS degree in Jiaotong University in 1989 and 1992, respec-
computer science from Beijing University, Beij- tively, and the PhD degree in computer science
ing, in 1997, and the PhD degree in computer from the University of Pittsburgh in 1998. He is
science from the University of Minnesota in 2003. currently an associate professor in the Depart-
He is currently an assistant professor in the ment of Computer Science, Florida State Uni-
Department of Computer Science, Florida State versity. His research interests include parallel
University. His research interests include com- and distributed systems, compilers, and network-
puter networks and multimedia communications, ing. He is a member of the IEEE and the ACM.
especially scalable network resource control and management in the
Internet, Internet routing protocols and service architectures, and
networking security. He is a corecipient of the Best Paper Awards in the
Jaideep Chandrashekar received the BE de-
10th IEEE International Conference on Network Protocols (ICNP ’02) and
gree from Bangalore University, India, in 1997
the 15th IEEE International Conference on Computer Communications
and the PhD degree from the University of
and Networks (ICCCN ’06). He is a member of the IEEE and the ACM.
Minnesota in December 2005. He is currently
with Intel Research, Santa Clara, California. His
research interests include computer networks
and distributed systems, especially Internet tech-
nologies, network routing, and computer security.
He is a member of the IEEE and the ACM.
. For more information on this or any other computing topic,
please visit our Digital Library at www.computer.org/publications/dlib.