Coordination of Anti-Spoofing Mechanisms in Partial Deployments
Internet protocol (IP) spoofing is a serious problem on the Internet. It is an attractive technique for adversaries who wish to amplify their network attacks and retain anonymity. Many approaches have been proposed to prevent IP spoofing attacks; however, they do not address a significant deployment issue, i.e., filtering inefficiency caused by a lack of deployment incentives for adopters. To defeat attacks effectively, one mechanism must be widely deployed on the network; however, the majority of the anti-spoofing mechanisms are unsuitable to solve the deployment issue by themselves. Each mechanism can work separately; however, their defensive power is considerably weak when insufficiently deployed. If we coordinate partially deployed mechanisms such that they work together, they demonstrate considerably superior performance by creating a synergy effect that overcomes their limited deployment. Therefore, we propose a universal anti-spoofing (UAS) mechanism that incorporates existing mechanisms to thwart IP spoofing attacks. In the proposed mechanism, intermediate routers utilize any existing anti-spoofing mechanism that can ascertain if a packet is spoofed and records this decision in the packet header. The edge routers of a victim network can estimate the forgery of a packet based on this information sent by the upstream routers. The results of experiments conducted with real Internet topologies indicate that UAS reduces false alarms up to 84.5% compared to the case where each mechanism operates individually.
- CERT, "Cert advisory ca-1996-21 TCP SYN flooding and IP spoofing attacks," Sept. 1996.
- H. Lee, M. Kwon, G. Hasker, and A. Perrig, "BASE: An incrementally deployable mechanism for viable IP spoofing prevention," in Proc. ACM AsiaCCS, 2007, pp. 20-31.
- D. Lee. (2014, Feb.). Huge hack 'ugly sign of future' for Internet threats. BBC. [Online]. Available: http://www.bbc.com/news/technology-2613 6774.
- C. Rossow, "Amplification hell: Revisiting network protocols for DDoS abuse," NDSS, Feb. 2014, pp. 23-26.
- A. Mangla. (2006). Distributed reflection denial of service: A bandwidth attack. [Online]. Aviliable: http://palpapers.plynt.com/issues/2006Apr/ddos-reflection/
- G. Yao, J. Bi, and A. V. Vasilakos, "Passive IP traceback: Disclosing the locations of IP spoofers from path backscatter," IEEE Trans. Inf. Forensics and Security, vol. 10, no. 3, pp. 471-484, 2015.
- CAIDA. (2016). The UCSD Network Telescope. [Online]. Available: https://www.caida.org/projects/network_telescope/
- R. Beverly, A. Berger, Y. Hyun, and k. claffy, "Understanding the efficacy of deployed Internet source address validation filtering," ACM SIGCOMM IMC, Nov. 2009, pp. 356-369.
- J. Kwon et al., "An incrementally deployable anti-spoofing mechanism for software-defined networks," Comput. Commun., vol. 64, pp. 1-20, 2015.
- F. Baker and P. Savola, "Ingress filtering for multihomed networks," BCP 84, RFC 3704, Mar., Tech. Rep., 2004.
- K. Park and H. Lee, "On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets," in Proc. ACM SIGCOMM, Aug. 2001, pp. 15-26.
- D. Anstee, J. Escobar, C. Chui, and G. Sockrider, "Worldwide infrastructure security report volume X," Arbor Networks, Tech. Rep., 2015.
- A. Yaar, A. Perrig, and D. Song, "Pi: A path identification mechanism to defend against DDoS attacks," IEEE S&P, pp. 93-107, 2003.
- S. T. Zargar, J. Joshi, and D. Tipper, "A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks," Commun. Surveys Tuts., vol. 15, no. 4, pp. 2046-2069, 2013.
- P. Ferguson and D. Senie, "Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing," BCP 38, RFC 2827 May, Tech. Rep., 2000.
- A. Yaar, A. Perrig, and D. Song, "StackPi: New packet marking and filtering mechanisms for DDoS and IP spoofing defense," IEEE J. Sel. Areas Commun., vol. 24, no. 10, pp. 1853-1863, 2006.
- G. Yao, J. Bi, and P. Xiao, "VASE: Filtering IP spoofing traffic with agility," Comput. Netw., vol. 57, no. 1, pp. 243-257, 2013.
- B. Liu, J. Bi, and A. Vasilakos, "Towards incentivizing anti-spoofing deployment," IEEE Trans. Inf. Forensics Security, vol. 9, no. 3, pp. 436-450, Mar. 2014.
- H.Wang, C. Jin, and K. G. Shin, "Defense against spoofed IP traffic using hop-count filtering," IEEE/ACM Trans. Netw., vol. 15, no. 1, pp. 40-53, Feb. 2007.
- M. Abliz, "Internet denial of service attacks and defense mechanisms," Tech. Rep. TR-11-178, 2011.
- S. Yu, W. Zhou, S. Guo, and M. Guo, "A dynamical deterministic packet marking scheme for DDoS traceback," in Proc. IEEE GLOBECOM,2013, pp. 729-734.
- D. Moore, C. Shannon, D. J. Brown, G. M. Voelker, and S. Savage, "Inferring internet denial-of-service activity," ACM Trans. Comput. Syst., vol. 24, no. 2, pp. 115-139, 2006.
- J. Markoff and N. Perlroth. (2013, Mar.). Firm is accused of sending spam, and fight jams Internet. The New York Times. [Online]. Available: http://www.nytimes.com/2013/03/27/technology/internet/online-dispute-becomes-internet-snarling-attack.html?smid=pl-share
- M. Anagnostopoulos, G. Kambourakis, P. Kopanos, G. Louloudakis, and S. Gritzalis, "DNS amplification attack revisited," Computers & Security, vol. 39, pp. 475-485, 2013.
- D. Lee. (2013, Mar.). Global Internet slows after 'biggest attack in history'. BBC. [Online]. Available: http://www.bbc.co.uk/news/technology-21954636
- R. Lemos. (2014, Jan). Amplified DDoS attacks broke bandwidth records in 2013: Arbor report. eWeek. [Online]. Available: http://www.eweek.com/security/amplified-ddos-attacks-broke-bandwidth-records-in-2013-arbor-report.html
- A. Liska. (2013, Dec.). Hackers spend Christmas break launching large scale NTP-reflection attacks. Symantec. [Online]. Available: http://www.symantec.com/connect/blogs/hackers-spend-christmasbreak- launching-large-scale-ntp-reflection-attacks
- R. Beverly and S. Bauer. (2016). ANA Spoofer Project. [Online]. Availble: http://spoofer.cmand.org/
- T. Ehrenkranz and J. Li, "On the state of IP spoofing defense," ACMTrans. Internet Technol., vol. 9, no. 2, p. 6, 2009.
- F. Baker et al., "Addressing the challenge of IP spoofing," Internet Society, Tech. Rep., 2015.
- S. Yu, G. Wang, and W. Zhou, "Modeling malicious activities in cyber space," IEEE Netw., vol. 29, no. 6, pp. 83-87, 2015.
- D. Seo, H. Lee, and A. Perrig, "APFS: Adaptive probabilistic filter scheduling against distributed denial-of-service attacks," Computers & Security, vol. 39, pp. 366-385, 2013.
- L. Feinstein, D. Schnackenberg, R. Balupari, and D. Kindred, "Statistical approaches to DDoS attack detection and response," DISCEX, 2003, pp. 303-314.
- S. Savage, D.Wetherall, A. Karlin, and T. Anderson, "Network support for IP traceback," IEEE/ACM Trans. Netw., vol. 9, no. 3, pp. 226-237, 2001.
- S. Savage, D. Wetherall, A. Karlin, and T. Anderson, "Practical network support for IP traceback," in Proc. ACM SIGCOMM, 2000, pp. 295-306.
- I. Stoica and H. Zhang, "Providing guaranteed services without per flow management," in Proc. ACM SIGCOMM, Aug. 1999, pp. 81-94.
- A. Bremler-Barr and H. Levy, "Spoofing prevention method," in Proc. INFOCOM, vol. 1, 2005, pp. 536-547.
- M. Adler, "Trade-offs in probabilistic packet marking for IP traceback," J. ACM, vol. 52, no. 2, pp. 217-244, 2005.
- D. Dean, M. Franklin, and A. Stubblefield, "An algebraic approach to IP traceback," ACM Trans. Inf. Syst. Security, vol. 5, no. 2, pp. 119-137, 2002.
- A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, B. Schwartz, S. T. Kent, and W. T. Strayer, "Single-packet IP traceback," IEEE/ACM Trans. Netw., vol. 10, no. 6, pp. 721-734, 2002.
- CAIDA. (2016). The CAIDA IPv4 Routed /24 Topology Dataset - April 9, 2012 and May 19, 2013. [Online]. Available: http://www.caida.org/data/active/ipv4_routed_24_topology_dataset.xml
- S. McClure, S. Shah, and S. Shah, Web hacking: Attacks and defense. Addison-Wesley Longman Publishing Co., Inc., 2002.
- B. Parno et al., "Portcullis: Protecting connection setup from denial-of-capability attacks," in Proc. ACM SIGCOMM, Aug. 2007, pp. 289-300.
- CAIDA. (2014). The CAIDA UCSD Macroscopic Topology Dataset. [Online]. Available: http://www.caida.org/tools/measurement/skitter/
- B. Liu, J. Bi, and Y. Zhu, "A deployable approach for inter-AS anti-spoofing," in Proc. IEEE ICNP. IEEE, 2011, pp. 19-24.
- H. An, H. Lee, and A. Perrig, "UAS: Universal anti-spoofing by incorporating existing mechanisms," in Proc. IEEE LCN, 2013, pp. 448-451.