Open Access  Subscription or Fee Access

The Distributed Denial-of-Service (DDoS) attack is a serious threat to the legitimate use of the Internet. Prevention mechanisms are thwarted by the ability of attackers to forge or spoof the source addresses in IP packets. By employing IP spoofing, attackers can evade detection and put a substantial burden on the destination network for policing attack packets. In this paper, we propose an interdomain packet filter (IDPF) architecture that can mitigate the level of IP spoofing on the Internet. A key feature of our scheme is that it does not require global routing information. IDPFs are constructed from the information implicit in Border Gateway Protocol (BGP) route updates and are deployed in network border routers. We establish the conditions under which the IDPF framework correctly works in that it does not discard packets with valid source addresses. Based on extensive simulation studies, we show that, even with partial deployment on the Internet, IDPFs can proactively limit the spoofing capability of attackers. In addition, they can help localize the origin of an attack packet to a small number of candidate networks.

IP Spoofing, DDoS, BGP, Network-Level Security and Protection, Routing Protocols.

ICANN SSAC Advisory SAC008 DNS Distributed Denial of Service (DDoS) Attacks, Mar. 2006.

C.Labovitz, D. McPherson, and F. Jahanian, “Infrastructure Attack Detection and Mitigation,” Tutorial, Proc. ACM SIGCOMM, Aug. 2005.

R. Beverly and S. Bauer, “The Spoofer Project: Inferring the Extent of Internet Source Address Filtering on the Internet,” Proc. First Usenix Steps to Reducing Unwanted Traffic on the Internet Workshop, July 2005.

S. Kandula, D. Katabi, M. Jacob, and A. Berger, “Botz-4-Sale: Surviving Organized DDoS Attacks that Mimic Flash Crowds,” Proc. Second Symp. Networked Systems Design and Implementation, 2005.

D. Moore, C. Shannon, D. Brown, G. Voelker, and S. Savage, “Inferring Internet Denial-of-Service Activity,” ACM Trans. Computer Systems, vol. 24, no. 2, May 2006.

R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson, “Characteristics of Internet Background Radiation,” Proc. ACM Internet Measurement Conf., Oct. 2004.

S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Practical Network Support for IP Traceback,” Proc. ACM SIGCOMM Computer Comm. Rev., vol. 30, no. 4, Oct. 2000.

P. Watson, “Slipping in the Window: TCP Reset Attacks,” Proc. Fifth CanSecWest/core04 Conf., 2004.

J. Stewart, “DNS Cache Poisoning—The Next Generation,” technical report, LURHQ, Jan. 2003.

V. Paxson, “An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks,” ACM Computer Comm. Rev., vol. 31, no. 3, July 2001.

“CERT Advisory ca-1996-21 TCP SYN Flooding and IP Spoofing Attacks, “CERT, http://www.cert.org/advisories/CA-1996-21.html, 1996.

K. Park and H. Lee, “On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets,” Proc. ACM SIGCOMM, Aug. 2001.

Y. Rekhter and T. Li, “A Border Gateway Protocol 4 (BGP-4),” RFC 1771, Mar. 1995.

L. Gao, “On Inferring Autonomous System Relationships in the Internet,” IEEE/ACM Trans. Networking, vol. 9, no. 6, Dec. 2001.

L. Gao and J. Rexford, “Stable Internet Routing without Global Coordination,” IEEE/ACM Trans. Networking, vol. 9, no. 6, Dec. 2001.

G. Huston, “Interconnection, Peering and Settlements: Part I,” The Internet Protocol J., Mar. 1999.

F. Baker, “Requirements for IP Version 4 Routers,” RFC 1812, June 1995.

“Unicast Reverse Path Forwarding Loose Mode,”Cisco Systems, http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newf%t/122t/122t13/ft_urpf.pdf, 2007.

C. Jin, H. Wang, and K. Shin, “Hop-Count Filtering: An Effective Defense against Spoofed DDoS Traffic,” Proc. 10th ACM Conf. Computer and Comm. Security, Oct. 2003.

A. Yaar, A. Perrig, and D. Song, “Pi: A Path Identification Mechanism to Defend against DDoS Attacks,” Proc. IEEE Symp. Security and Privacy, May 2003.

A. Yaar, A. Perrig, and D. Song, “StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense,” IEEE J. Selected Areas in Comm., vol. 24, no. 10, Oct. 2006.

J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang, “Save: Source Address Validity Enforcement Protocol,” Proc. IEEE INFOCOM, June 2002.

A. Bremler-Barr and H. Levy, “Spoofing Prevention Method,” Proc. IEEE INFOCOM, Mar. 2005.

X. Liu, X. Yang, D. Wetherall, and T. Anderson, “Efficient and Secure Source Authentication with Packet Passport,” Proc. Second Usenix Workshop Steps to Reducing Unwanted Traffic on the Internet (SRUTI ’06), July 2006.

P. Ferguson and D. Senie, Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing, RFC 2267, Jan. 1998.

“The Team Cymru Bogon Route Server Project,”Team Cymru, http://www.cymru.com/BGP/bogon-rs.html, 2007.

J. Stewart, BGP4: Inter-Domain Routing in the Internet. Addison-Wesley, 1999.

W. Xu and J. Rexford, “Miro: Multi-Path Interdomain Routing,” SIGCOMM Computer Comm. Rev., vol. 36, no. 4, Oct. 2006.

L. Gao, T. Griffin, and J. Rexford, “Inherently Safe Backup Routing with BGP,” Proc. IEEE INFOCOM, 2001.

J. Chandrashekar, Z. Duan, Z.-L. Zhang, and J. Krasky, “Limiting Path Exploration in BGP,” Proc. IEEE INFOCOM, Mar. 2005.

V. Fuller, T. Li, J. Yu, and K. Varadhan, “Classless Inter-Domain Routing (CIDR): An Address Assignment and Aggregation Strategy,” RFC 1519, Sept. 1993.

Z. Duan, X. Yuan, and J. Chandrashekar, “Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates,” Proc. IEEE INFOCOM, Apr. 2006.

“Route Views Project,” Univ. of Oregon, http://www.routeviews.org/, 2007.

X. Dimitropoulos, D. Krioukov, and G. Riley, “Revisiting Internet As-Level Topology Discovery,” Proc. Sixth Int’l Workshop Passive and Active Measurement, Mar. 2005.

D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, “Inside the Slammer Worm,” Proc. IEEE Symp. Security and Privacy, 2003.