skip to main content
research-article

On the state of IP spoofing defense

Published:11 May 2009Publication History
Skip Abstract Section

Abstract

IP source address spoofing has plagued the Internet for many years. Attackers spoof source addresses to mount attacks and redirect blame. Researchers have proposed many mechanisms to defend against spoofing, with varying levels of success. With the defense mechanisms available today, where do we stand? How do the various defense mechanisms compare? This article first looks into the current state of IP spoofing, then thoroughly surveys the current state of IP spoofing defense. It evaluates data from the Spoofer Project, and describes and analyzes host-based defense methods, router-based defense methods, and their combinations. It further analyzes what obstacles stand in the way of deploying those modern solutions and what areas require further research.

References

  1. Adler, M. 2005. Trade-offs in probabilistic packet marking for IP traceback. J. ACM 52, 2, 217--244. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Albrightson, B., Garcia-Luna-Aceves, J., and Boyle, J. 1994. EIGRP—A fast routing protocol based on distance vectors. In Proceedings of the Networld/Interop.Google ScholarGoogle Scholar
  3. Aura, T. and Nikander, P. 1997. Stateless connections. In Proceedings of the International Conference on Information and Communication Security, Y. Han et al., Eds. Lecture Notes in Computer Science, vol. 1334. Springer, 87--97. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Baker, F. 1995. Requirements for IP Version 4 routers. RFC 1812. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Baker, F. and Savola, P. 2004. Ingress Filtering for Multihomed Networks. RFC 3704. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Bernstein, D. J. 1996. SYN cookies. http://cr.yp.to/syncookies.html.Google ScholarGoogle Scholar
  7. Beverly, R. 2004. A robust classifier for passive TCP/IP fingerprinting. In Proceedings of the Passive and Active Measurement Conference, 158--167.Google ScholarGoogle ScholarCross RefCross Ref
  8. Beverly, R. and Bauer, S. 2005. The Spoofer Project: Inferring the extent of source address filtering on the Internet. In Proceedings of the USENIX Work-Shop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), 53--59. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Bremler-Barr, A. and Levy, H. 2005. Spoofing prevention method. In Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Societies (InfoCom).Google ScholarGoogle Scholar
  10. chang Feng, W., Kaiser, E. C., chi Feng, W., and Luu, A. 2005. Design and implementation of network puzzles. In Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Societies (InfoCom). 2372--2382.Google ScholarGoogle Scholar
  11. Cisco Systems Inc. 2007. Configuring TCP intercept. http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_tcp_intercpt.pdfGoogle ScholarGoogle Scholar
  12. Dean, D., Franklin, M. K., and Stubblefield, A. 2002. An algebraic approach to IP traceback. ACM Trans. Inf. Syst. Secur. 5, 2, 119--137. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Diffie, W. and Hellman, M. E. 1976. New directions in cryptography. IEEE Trans. Inf. Theory 22, 6, 644--654.Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Duan, Z., Yuan, X., and Chandrashekar, J. 2006. Constructing inter-domain packet filters to control IP spoofing based on BGP updates. In Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Societies (InfoCom).Google ScholarGoogle Scholar
  15. Ehrenkranz, T. and Li, J. 2007. An incrementally deployable protocol for learning the valid incoming direction of IP packets. Tech. rep. CIS-TR-2007-05, University of Oregon. March.Google ScholarGoogle Scholar
  16. Ferguson, P. and Senie, D. 2000. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. RFC 2827. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Fyodor. 2006. Remote OS detection. http://nmap.org/book/osdetect.html.Google ScholarGoogle Scholar
  18. Goodell, G., Aiello, W., Griffin, T., Ioannidis, J., McDaniel, P., and Rubin, A. 2003. Working around BGP: An incremental approach to improving security and accuracy of interdomain routing. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarGoogle Scholar
  19. He, Y., Faloutsos, M., and Krishnamurthy, S. V. 2004. Quantifying the routing asymmetry in the Internet at the AS level. In Proceedings of IEEE Conference and Exhibition on Global Telecommunications (GlobeCom).Google ScholarGoogle Scholar
  20. He, Y., Faloutsos, M., and Krishnamurthy, S. V. 2005. On routing asymmetry in the Internet. In Proceedings of IEEE Conference and Exhibition on Global Telecommunications (GlobeCom).Google ScholarGoogle Scholar
  21. Jin, C., Wang, H., and Shin, K. G. 2003. Hop-count filtering: An effective defense against spoofed DDoS traffic. In Proceedings of the Conference on Computer and Communications Security, 30--41. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Kent, S. and Seo, K. 2005. Security architecture for the Internet Protocol. RFC 4301.Google ScholarGoogle Scholar
  23. Killalea, T. 2000. Recommended Internet service provider security services and procedures. RFC 3013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Lee, H., Kwon, M., Hasker, G., and Perrig, A. 2007. BASE: An incrementally deployable mechanism for viable IP spoofing prevention. In Proceedings of the ACM Symposium on Information, Computer, and Communication Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Li, J., Mirkovic, J., Wang, M., Reiher, P. L., and Zhang, L. 2002. SAVE: Source address validity enforcement protocol. In Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Societies (InfoCom). 1557--1566.Google ScholarGoogle Scholar
  26. Liu, X., Li, A., Yang, X., and Wetherall, D. 2008. Passport: Secure and adoptable source authentication. In Proceedings of USENIX Symposium on Networked Systems Design and Implementation. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Martin, K. 2006. Stop the bots. Security Focus.Google ScholarGoogle Scholar
  28. Messmer, E. 2007. Report says identity thieves working hand in hand with ‘bot herders’. Network World.Google ScholarGoogle Scholar
  29. MIT Advanced Network Architecture Group. 2007. ANA Spoofer Project. http://spoofer.csail.mit.edu/.Google ScholarGoogle Scholar
  30. Moy, J. 1998. OSPF Version 2. RFC 2328 (Standard).Google ScholarGoogle Scholar
  31. Oran, D. 1990. OSI IS-IS Intra-domain Routing Protocol. RFC 1142 (Informational). Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Park, K. and Lee, H. 2001. On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets. In Proceedings of ACM SIGCOMM Data Communications Festival, 15--26. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Piscitello, D. M. 2006. Anatomy of a DNS DDoS amplification attack. http://www.watchguard.com/infocenter/editorial/41649.asp.Google ScholarGoogle Scholar
  34. Rekhter, Y., Li, T., and Hares, S. 2006. A Border Gateway Protocol 4 (BGP-4). RFC 4271 (Draft Standard).Google ScholarGoogle Scholar
  35. Saltzer, J. H., Reed, D. P., and Clark, D. D. 1984. End-to-end arguments in system design. ACM Trans. Comput. Syst. 2, 4, 277--288. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Savage, S., Wetherall, D., Karlin, A. R., and Anderson, T. E. 2000. Practical network support for IP traceback. In Proceedings of ACM SIGCOMM, Data Communications Festival, 295--306. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Snoeren, A. C., Partridge, C., Sanchez, L. A., Jones, C. E., Tchakountio, F., Schwartz, B., Kent, S. T., and Strayer, W. T. 2002. Single-packet IP traceback. IEEE/ACM Trans. Netw. 10, 6, 721--734. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Taleck, G. 2003. Ambiguity resolution via passive OS fingerprinting. In Proceedings of the Symposium on Recent Advances in Intrusion Detection, 192--206.Google ScholarGoogle ScholarCross RefCross Ref
  39. Templeton, S. J. and Levitt, K. E. 2003. Detecting spoofed packets. In Proceedings of the DARPA Information Survivability Conference and Exposition, vol. 1. 164--175.Google ScholarGoogle Scholar
  40. Wang, H., Jin, C., and Shin, K. G. 2007. Defense against spoofed IP traffic using hop-count filtering. IEEE/ACM Trans. Netw. 15, 1, 40--53. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Wu, J., Ren, G., and Li, X. 2007. Source address validation: Architecture and protocol design. In Proceedings of the Annual International Conference on Network Protocols (ICNP'07).Google ScholarGoogle Scholar
  42. Yaar, A., Perrig, A., and Song, D. 2003. Pi: A path identification mechanism to defend against DDoS attack. In Proceedings of the IEEE Symposium on Security and Privacy, 93--107. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Yaar, A., Perrig, A., and Song, D. 2006. StackPi: New packet marking and filtering mechanisms for DDoS and IP spoofing defense. IEEE J. Selected Areas Commun. 24, 10, 1853--1863. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Zalewski, M. 2001. Strange attractors and TCP/IP sequence number analysis. http://lcamtuf.coredump.cx/oldtcp/.Google ScholarGoogle Scholar
  45. Zalewski, M. 2002. Strange attractors and TCP/IP sequence number analysis—One year later. http://lcamtuf.coredump.cx/newtcp/.Google ScholarGoogle Scholar
  46. Zalewski, M. 2006. Passive OS fingerprinting tool. http://lcamtuf.coredump.cx/p0f.shtml.Google ScholarGoogle Scholar

Recommendations

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Sign in

Full Access

  • Published in

    cover image ACM Transactions on Internet Technology
    ACM Transactions on Internet Technology  Volume 9, Issue 2
    May 2009
    116 pages
    ISSN:1533-5399
    EISSN:1557-6051
    DOI:10.1145/1516539
    Issue’s Table of Contents

    Copyright © 2009 ACM

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    • Published: 11 May 2009
    • Accepted: 1 May 2008
    • Received: 1 September 2007
    Published in toit Volume 9, Issue 2

    Permissions

    Request permissions about this article.

    Request Permissions

    Check for updates

    Qualifiers

    • research-article
    • Research
    • Refereed

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader
About Cookies On This Site

We use cookies to ensure that we give you the best experience on our website.

Learn more

Got it!