Controlling IP Spoofing with SBGP

International Journal of Computer Science (IJCS) Published by SK Research Group of Companies (SKRGC).

Abstract

IP address spoofing refers to the creation of Internet Protocol packets with a forged source IP address, called spoofing, it is a method of attacking a network in order to gain unauthorized access. The Distributed Denial-of-Service (DDoS) attack is a serious threat to the legitimate use of the Internet. The attack is based on the fact that Internet communication between distant computers is routinely handled by routers which find the best route by examining the destination address. By employing IP spoofing, attackers can evade detection and put a substantial burden on the destination network for policing attack packets. In this paper, we propose an Inter Domain Packet Filter (IDPF) architecture that can mitigate the level of IP spoofing on the Internet. A key feature of our scheme is that it does not require global routing information. IDPFs are constructed from the information implicit in Border Gateway Protocol (BGP) route updates and are deployed in network border routers. We establish the conditions under which the IDPF framework correctly works in that it does not discard packets with valid source addresses. Based on extensive simulation studies, we show that, even with partial employment on the Internet, IDPFs can proactively limit the spoofing capability of attackers. In addition, they can help localize the origin of an attack packet to a small number of candidate networks

References

[1] Routing Protocol Security Using Symmetric Key Based Techniques. Bezawada Bruhadeshwar and Kishore Kothpalli and M.Poornima and M.Divya International Institue of Technology Hydrabad.

[2] K. Park and H. Lee. On the e_ectiveness of routebased packet _ltering for distributed DoS attack prevention in power-law internets. In Proc. ACM SIGCOMM, San Diego, CA 2000

[3] ICANN/SSAC, .ICANN SSAC Advisory SAC008 DNS Distributed Denial of Service (DDoS) Attacks,. Mar. 2006.

[4] C. Labovitz, D. McPherson, and F. Jahanian, .Infrastructure attack detection and mitigation,. SIGCOMM 2005, August 2005, tutorial.

[5] R. Beverly and S. Bauer, .The Spoofer Project: Inferring the extent of Internet source address _ltering on the internet,. in Proceedings of Usenix SRUTI, Cambridge, MA, Jul. 2005.

[6] S. Kandula, D. Katabi, M. Jacob, and A. Berger, .Botz-4-Sale: Surviving Organized DDoS Attacks that Mimic Flash Crowds,. in NSDI, 2005.

[7] D. Moore, C. Shannon, D. Brown, G. Voelker, and S. Savage, .Inferring internet Denial-of-Service activity,. ACM Transactions on Computer Systems, vol.24, no. 2, May 2006.

[8] J.Stewart, .DNS cache poisoning - the next generation,. LURHQ, Technical Report, Jan. 2003.

[9] Paxson, .An analysis of using re_ectors for distributed denialof- service attacks,. ACM Computer Communications Review (CCR),vol. 31, no. 3, Jul. 2001.

[10] K. Park and H. Lee, .On the effectiveness of routebased packet _ltering for distributed DoS attack prevention in power-law internets,. in Proc.ACM SIGCOMM, San Diego, CA, Aug. 2001.

[11]Y. Rekhter and T. Li, .A border gateway protocol 4 (BGP-4),. RFC 1771, Mar. 1995.

[12]L. Gao, .On inferring autonomous system relationships in the internet,. IEEE/ACM Transactions on Networking, vol. 9, no. 6, Dec. 2001.

Keywords

Border gateway protocol, symmetric key distribution protocol, Inter Domain Packet Filter