|
 ABSTRACT
DoS attacks use IP spoofing to forge the source IP address of packets, and thereby hide the identity of the source. This makes it hard to defend against DoS attacks, so IP spoofing will still be used as an aggressive attack mechanism even under distributed attack environment. While many IP spoofing prevention techniques have been proposed, none have achieved widespread real-world use. One main reason is the lack of properties favoring incremental deployment, an essential component for the adoption of new technologies. A viable solution needs to be not only technically sound but also economically acceptable. An incrementally deploy-able protocol should have three properties: initial benefits for early adopters, incremental benefits for subsequent adopters, and effectiveness under partial deployment. Since no previous anti-spoofing solution satisfies all three of these properties, we propose a new mechanism called "BGP Anti-Spoofing Extension" (BASE). The BASE mechanism is an anti-spoofing protocol designed to fulfill the incremental deployment properties necessary for adoption in current Internet environments. Based on simulations we ran using a model of Internet AS connectivity, BASE shows desirable IP spoofing prevention capabilities under partial deployment. We find that just 30% deployment can drop about 97% of attack packets. Therefore, BASE not only provides adopters' benefit but also outperforms previous anti-spoofing mechanisms.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
H. Aljifri, M. Smets, and A. P. Pons. IP traceback using header compression. Computers & Security, Feb. 2003.
|
| |
2
|
|
| |
3
|
S. Bellovin, M. Leech, and T. Taylor. The ICMP traceback message. Internet-Draft, draft-ietf-itrace-01.txt, Oct. 2001. Work in progress, available at ftp://ftp.ietf.org/internet-drafts/draft-ietf-itrace-01.txt.
|
| |
4
|
|
| |
5
|
CERT. TCP SYN flooding and IP spoofing attacks. Advisory CA-96.21, September 1996.
|
| |
6
|
Cisco. Strategies to protect against distributed denial of service (DDoS) attacks. Updated News Flash, Apr. 2003.
|
| |
7
|
M. Collins and M. K. Reiter. An empirical analysis of target-resident DoS filters. In Proceedings of IEEE Symposium on Security and Privacy, May 2004.
|
| |
8
|
P. Ferguson and D. Senie. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. RFC 2827, May 2000.
|
| |
9
|
D. Fisher. Internet survives massive ddos attack. http://www.eweek.com/article2/0, 1759, 1498701, 00.asp, Oct. 2002.
|
 |
10
|
|
| |
11
|
Y. He, M. Faloutsos, S. Krishnamurthy, and B. Huffaker. On Routing Asymmetry in the Internet. In Proceedings of IEEE Globecom, 2005.
|
| |
12
|
|
| |
13
|
T. Krovetz. Umac: Message Authentication Code using Universal Hashing. RFC 4418, Mar. 2006.
|
| |
14
|
Craig Labovitz , Abha Ahuja , Abhijit Bose , Farnam Jahanian, Delayed Internet routing convergence, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.175-187, August 28-September 01, 2000, Stockholm, Sweden
|
| |
15
|
H. Lee and K. Park. On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack. In Proceedings of IEEE Infocomm, Apr. 2001.
|
| |
16
|
J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang. Save: Source address validity enforcement protocol. In Proceedings of IEEE INFOCOM, June 2002.
|
| |
17
|
|
| |
18
|
D. Meyer. University of Oregon Route Views archive project. http://archive.routeviews.org, 2005.
|
| |
19
|
G. A. Moore. Crossing the Chasm: Marketing and Selling High-Tech Products to Mainstream Customers. HarperCollins Publishers, 1995.
|
| |
20
|
Kihong Park , Heejo Lee, On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.15-26, August 2001, San Diego, California, United States
|
| |
21
|
Vern Paxson, End-to-end routing behavior in the Internet, Conference proceedings on Applications, technologies, architectures, and protocols for computer communications, p.25-38, August 28-30, 1996, Palo Alto, California, United States
|
| |
22
|
J. Postel. Internet protocol. RFC 791, Sept. 1981.
|
| |
23
|
Y. Rekhter, T. Li, and S. Hares. A Border Gateway Protocol 4 (BGP-4). RFC 4271, Jan. 2006.
|
| |
24
|
Stefan Savage , David Wetherall , Anna Karlin , Tom Anderson, Practical network support for IP traceback, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.295-306, August 28-September 01, 2000, Stockholm, Sweden
|
| |
25
|
D. Song and A. Perrig. Advanced and authenticated marking schemes for IP traceback. In Proceedings of IEEE Infocomm, April 2001.
|
| |
26
|
Neil Spring , Ratul Mahajan , Thomas Anderson, The causes of path inflation, Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, August 25-29, 2003, Karlsruhe, Germany
[doi> 10.1145/863955.863970]
|
| |
27
|
Renata Teixeira , Keith Marzullo , Stefan Savage , Geoffrey M. Voelker, Characterizing and measuring path diversity of internet topologies, Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, June 11-14, 2003, San Diego, CA, USA
|
| |
28
|
D. Wetherall, J. Guttag, and D. L. Tennenhouse. ANTS: A toolkit for building and dynamically deploying network protocols. In IEEE OPENARCH'98, Apr. 1998.
|
| |
29
|
|
CITED BY 3
|
|
Jun Li , Jelena Mirkovic , Toby Ehrenkranz , Mengqiu Wang , Peter Reiher , Lixia Zhang, Learning the valid incoming direction of IP packets, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.52 n.2, p.399-417, February, 2008
|
|
|
|
|
|
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
C.2