Abstract
IP source address spoofing has plagued the Internet for many years. Attackers spoof source addresses to mount attacks and redirect blame. Researchers have proposed many mechanisms to defend against spoofing, with varying levels of success. With the defense mechanisms available today, where do we stand? How do the various defense mechanisms compare? This article first looks into the current state of IP spoofing, then thoroughly surveys the current state of IP spoofing defense. It evaluates data from the Spoofer Project, and describes and analyzes host-based defense methods, router-based defense methods, and their combinations. It further analyzes what obstacles stand in the way of deploying those modern solutions and what areas require further research.
- Adler, M. 2005. Trade-offs in probabilistic packet marking for IP traceback. J. ACM 52, 2, 217--244. Google Scholar
Digital Library
- Albrightson, B., Garcia-Luna-Aceves, J., and Boyle, J. 1994. EIGRP—A fast routing protocol based on distance vectors. In Proceedings of the Networld/Interop.Google Scholar
- Aura, T. and Nikander, P. 1997. Stateless connections. In Proceedings of the International Conference on Information and Communication Security, Y. Han et al., Eds. Lecture Notes in Computer Science, vol. 1334. Springer, 87--97. Google Scholar
Digital Library
- Baker, F. 1995. Requirements for IP Version 4 routers. RFC 1812. Google Scholar
Digital Library
- Baker, F. and Savola, P. 2004. Ingress Filtering for Multihomed Networks. RFC 3704. Google Scholar
Digital Library
- Bernstein, D. J. 1996. SYN cookies. http://cr.yp.to/syncookies.html.Google Scholar
- Beverly, R. 2004. A robust classifier for passive TCP/IP fingerprinting. In Proceedings of the Passive and Active Measurement Conference, 158--167.Google Scholar
Cross Ref
- Beverly, R. and Bauer, S. 2005. The Spoofer Project: Inferring the extent of source address filtering on the Internet. In Proceedings of the USENIX Work-Shop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), 53--59. Google Scholar
Digital Library
- Bremler-Barr, A. and Levy, H. 2005. Spoofing prevention method. In Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Societies (InfoCom).Google Scholar
- chang Feng, W., Kaiser, E. C., chi Feng, W., and Luu, A. 2005. Design and implementation of network puzzles. In Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Societies (InfoCom). 2372--2382.Google Scholar
- Cisco Systems Inc. 2007. Configuring TCP intercept. http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_tcp_intercpt.pdfGoogle Scholar
- Dean, D., Franklin, M. K., and Stubblefield, A. 2002. An algebraic approach to IP traceback. ACM Trans. Inf. Syst. Secur. 5, 2, 119--137. Google Scholar
Digital Library
- Diffie, W. and Hellman, M. E. 1976. New directions in cryptography. IEEE Trans. Inf. Theory 22, 6, 644--654.Google Scholar
Digital Library
- Duan, Z., Yuan, X., and Chandrashekar, J. 2006. Constructing inter-domain packet filters to control IP spoofing based on BGP updates. In Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Societies (InfoCom).Google Scholar
- Ehrenkranz, T. and Li, J. 2007. An incrementally deployable protocol for learning the valid incoming direction of IP packets. Tech. rep. CIS-TR-2007-05, University of Oregon. March.Google Scholar
- Ferguson, P. and Senie, D. 2000. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. RFC 2827. Google Scholar
Digital Library
- Fyodor. 2006. Remote OS detection. http://nmap.org/book/osdetect.html.Google Scholar
- Goodell, G., Aiello, W., Griffin, T., Ioannidis, J., McDaniel, P., and Rubin, A. 2003. Working around BGP: An incremental approach to improving security and accuracy of interdomain routing. In Proceedings of the Network and Distributed System Security Symposium.Google Scholar
- He, Y., Faloutsos, M., and Krishnamurthy, S. V. 2004. Quantifying the routing asymmetry in the Internet at the AS level. In Proceedings of IEEE Conference and Exhibition on Global Telecommunications (GlobeCom).Google Scholar
- He, Y., Faloutsos, M., and Krishnamurthy, S. V. 2005. On routing asymmetry in the Internet. In Proceedings of IEEE Conference and Exhibition on Global Telecommunications (GlobeCom).Google Scholar
- Jin, C., Wang, H., and Shin, K. G. 2003. Hop-count filtering: An effective defense against spoofed DDoS traffic. In Proceedings of the Conference on Computer and Communications Security, 30--41. Google Scholar
Digital Library
- Kent, S. and Seo, K. 2005. Security architecture for the Internet Protocol. RFC 4301.Google Scholar
- Killalea, T. 2000. Recommended Internet service provider security services and procedures. RFC 3013. Google Scholar
Digital Library
- Lee, H., Kwon, M., Hasker, G., and Perrig, A. 2007. BASE: An incrementally deployable mechanism for viable IP spoofing prevention. In Proceedings of the ACM Symposium on Information, Computer, and Communication Security. Google Scholar
Digital Library
- Li, J., Mirkovic, J., Wang, M., Reiher, P. L., and Zhang, L. 2002. SAVE: Source address validity enforcement protocol. In Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Societies (InfoCom). 1557--1566.Google Scholar
- Liu, X., Li, A., Yang, X., and Wetherall, D. 2008. Passport: Secure and adoptable source authentication. In Proceedings of USENIX Symposium on Networked Systems Design and Implementation. Google Scholar
Digital Library
- Martin, K. 2006. Stop the bots. Security Focus.Google Scholar
- Messmer, E. 2007. Report says identity thieves working hand in hand with ‘bot herders’. Network World.Google Scholar
- MIT Advanced Network Architecture Group. 2007. ANA Spoofer Project. http://spoofer.csail.mit.edu/.Google Scholar
- Moy, J. 1998. OSPF Version 2. RFC 2328 (Standard).Google Scholar
- Oran, D. 1990. OSI IS-IS Intra-domain Routing Protocol. RFC 1142 (Informational). Google Scholar
Digital Library
- Park, K. and Lee, H. 2001. On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets. In Proceedings of ACM SIGCOMM Data Communications Festival, 15--26. Google Scholar
Digital Library
- Piscitello, D. M. 2006. Anatomy of a DNS DDoS amplification attack. http://www.watchguard.com/infocenter/editorial/41649.asp.Google Scholar
- Rekhter, Y., Li, T., and Hares, S. 2006. A Border Gateway Protocol 4 (BGP-4). RFC 4271 (Draft Standard).Google Scholar
- Saltzer, J. H., Reed, D. P., and Clark, D. D. 1984. End-to-end arguments in system design. ACM Trans. Comput. Syst. 2, 4, 277--288. Google Scholar
Digital Library
- Savage, S., Wetherall, D., Karlin, A. R., and Anderson, T. E. 2000. Practical network support for IP traceback. In Proceedings of ACM SIGCOMM, Data Communications Festival, 295--306. Google Scholar
Digital Library
- Snoeren, A. C., Partridge, C., Sanchez, L. A., Jones, C. E., Tchakountio, F., Schwartz, B., Kent, S. T., and Strayer, W. T. 2002. Single-packet IP traceback. IEEE/ACM Trans. Netw. 10, 6, 721--734. Google Scholar
Digital Library
- Taleck, G. 2003. Ambiguity resolution via passive OS fingerprinting. In Proceedings of the Symposium on Recent Advances in Intrusion Detection, 192--206.Google Scholar
Cross Ref
- Templeton, S. J. and Levitt, K. E. 2003. Detecting spoofed packets. In Proceedings of the DARPA Information Survivability Conference and Exposition, vol. 1. 164--175.Google Scholar
- Wang, H., Jin, C., and Shin, K. G. 2007. Defense against spoofed IP traffic using hop-count filtering. IEEE/ACM Trans. Netw. 15, 1, 40--53. Google Scholar
Digital Library
- Wu, J., Ren, G., and Li, X. 2007. Source address validation: Architecture and protocol design. In Proceedings of the Annual International Conference on Network Protocols (ICNP'07).Google Scholar
- Yaar, A., Perrig, A., and Song, D. 2003. Pi: A path identification mechanism to defend against DDoS attack. In Proceedings of the IEEE Symposium on Security and Privacy, 93--107. Google Scholar
Digital Library
- Yaar, A., Perrig, A., and Song, D. 2006. StackPi: New packet marking and filtering mechanisms for DDoS and IP spoofing defense. IEEE J. Selected Areas Commun. 24, 10, 1853--1863. Google Scholar
Digital Library
- Zalewski, M. 2001. Strange attractors and TCP/IP sequence number analysis. http://lcamtuf.coredump.cx/oldtcp/.Google Scholar
- Zalewski, M. 2002. Strange attractors and TCP/IP sequence number analysis—One year later. http://lcamtuf.coredump.cx/newtcp/.Google Scholar
- Zalewski, M. 2006. Passive OS fingerprinting tool. http://lcamtuf.coredump.cx/p0f.shtml.Google Scholar
Recommendations
Defense against spoofed IP traffic using hop-count filtering
IP spoofing has often been exploited by Distributed Denial of Service (DDoS) attacks to: 1) conceal flooding sources and dilute localities in flooding traffic, and 2) coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding ...
Controlling IP Spoofing through Interdomain Packet Filters
The Distributed Denial of Services (DDoS) attack is a serious threat to the legitimate use of the Internet. Prevention mechanisms are thwarted by the ability of attackers to forge, or spoof, the source addresses in IP packets. By employing IP spoofing, ...
Comparative Evaluation of Spoofing Defenses
IP spoofing exacerbates many security threats, and reducing it would greatly enhance Internet security. Seven defenses that filter spoofed traffic have been proposed to date; three are designed for end-network deployment, while four assume some ...






Comments