ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
BASE: an incrementally deployable mechanism for viable IP spoofing prevention
Full text PdfPdf (274 KB)
Source ASIAN ACM Symposium on Information, Computer and Communications Security archive
Proceedings of the 2nd ACM symposium on Information, computer and communications security table of contents
Singapore
SESSION: Network security table of contents
Pages: 20 - 31  
Year of Publication: 2007
ISBN:1-59593-574-6
Authors
Heejo Lee  Korea University, Seoul, South KOREA
Minjin Kwon  Korea University, Seoul, South KOREA
Geoffrey Hasker  CyLab / CMU, Pittsburgh
Adrian Perrig  CyLab / CMU, Pittsburgh
Sponsor
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 13,   Downloads (12 Months): 73,   Citation Count: 4
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1229285.1229293
What is a DOI?

ABSTRACT

DoS attacks use IP spoofing to forge the source IP address of packets, and thereby hide the identity of the source. This makes it hard to defend against DoS attacks, so IP spoofing will still be used as an aggressive attack mechanism even under distributed attack environment. While many IP spoofing prevention techniques have been proposed, none have achieved widespread real-world use. One main reason is the lack of properties favoring incremental deployment, an essential component for the adoption of new technologies. A viable solution needs to be not only technically sound but also economically acceptable. An incrementally deploy-able protocol should have three properties: initial benefits for early adopters, incremental benefits for subsequent adopters, and effectiveness under partial deployment. Since no previous anti-spoofing solution satisfies all three of these properties, we propose a new mechanism called "BGP Anti-Spoofing Extension" (BASE). The BASE mechanism is an anti-spoofing protocol designed to fulfill the incremental deployment properties necessary for adoption in current Internet environments. Based on simulations we ran using a model of Internet AS connectivity, BASE shows desirable IP spoofing prevention capabilities under partial deployment. We find that just 30% deployment can drop about 97% of attack packets. Therefore, BASE not only provides adopters' benefit but also outperforms previous anti-spoofing mechanisms.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
H. Aljifri, M. Smets, and A. P. Pons. IP traceback using header compression. Computers & Security, Feb. 2003.
 
2
F. Baker , P. Savola, Ingress Filtering for Multihomed Networks, RFC Editor, 2004
 
3
S. Bellovin, M. Leech, and T. Taylor. The ICMP traceback message. Internet-Draft, draft-ietf-itrace-01.txt, Oct. 2001. Work in progress, available at ftp://ftp.ietf.org/internet-drafts/draft-ietf-itrace-01.txt.
 
4
D. Bruschi , L. Cavallaro , E. Rosti, Less harm, less worry or how to improve network security by bounding system offensiveness, Proceedings of the 16th Annual Computer Security Applications Conference, p.188, December 11-15, 2000
 
5
CERT. TCP SYN flooding and IP spoofing attacks. Advisory CA-96.21, September 1996.
 
6
Cisco. Strategies to protect against distributed denial of service (DDoS) attacks. Updated News Flash, Apr. 2003.
 
7
M. Collins and M. K. Reiter. An empirical analysis of target-resident DoS filters. In Proceedings of IEEE Symposium on Security and Privacy, May 2004.
 
8
P. Ferguson and D. Senie. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. RFC 2827, May 2000.
 
9
D. Fisher. Internet survives massive ddos attack. http://www.eweek.com/article2/0, 1759, 1498701, 00.asp, Oct. 2002.
10
Oded Goldreich , Shafi Goldwasser , Silvio Micali, How to construct random functions, Journal of the ACM (JACM), v.33 n.4, p.792-807, Oct. 1986  [doi>10.1145/6490.6503]
 
11
Y. He, M. Faloutsos, S. Krishnamurthy, and B. Huffaker. On Routing Asymmetry in the Internet. In Proceedings of IEEE Globecom, 2005.
12
Cheng Jin , Haining Wang , Kang G. Shin, Hop-count filtering: an effective defense against spoofed DDoS traffic, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA  [doi>10.1145/948109.948116]
 
13
T. Krovetz. Umac: Message Authentication Code using Universal Hashing. RFC 4418, Mar. 2006.
14
Craig Labovitz , Abha Ahuja , Abhijit Bose , Farnam Jahanian, Delayed Internet routing convergence, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.175-187, August 28-September 01, 2000, Stockholm, Sweden
 
15
H. Lee and K. Park. On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack. In Proceedings of IEEE Infocomm, Apr. 2001.
 
16
J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang. Save: Source address validity enforcement protocol. In Proceedings of IEEE INFOCOM, June 2002.
 
17
B. Manning, Registering New BGP Attribute Types, RFC Editor, 1997
 
18
D. Meyer. University of Oregon Route Views archive project. http://archive.routeviews.org, 2005.
 
19
G. A. Moore. Crossing the Chasm: Marketing and Selling High-Tech Products to Mainstream Customers. HarperCollins Publishers, 1995.
20
Kihong Park , Heejo Lee, On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.15-26, August 2001, San Diego, California, United States
21
Vern Paxson, End-to-end routing behavior in the Internet, Conference proceedings on Applications, technologies, architectures, and protocols for computer communications, p.25-38, August 28-30, 1996, Palo Alto, California, United States
 
22
J. Postel. Internet protocol. RFC 791, Sept. 1981.
 
23
Y. Rekhter, T. Li, and S. Hares. A Border Gateway Protocol 4 (BGP-4). RFC 4271, Jan. 2006.
24
Stefan Savage , David Wetherall , Anna Karlin , Tom Anderson, Practical network support for IP traceback, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.295-306, August 28-September 01, 2000, Stockholm, Sweden
 
25
D. Song and A. Perrig. Advanced and authenticated marking schemes for IP traceback. In Proceedings of IEEE Infocomm, April 2001.
26
Neil Spring , Ratul Mahajan , Thomas Anderson, The causes of path inflation, Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, August 25-29, 2003, Karlsruhe, Germany  [doi>10.1145/863955.863970]
27
Renata Teixeira , Keith Marzullo , Stefan Savage , Geoffrey M. Voelker, Characterizing and measuring path diversity of internet topologies, Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, June 11-14, 2003, San Diego, CA, USA
 
28
D. Wetherall, J. Guttag, and D. L. Tennenhouse. ANTS: A toolkit for building and dynamically deploying network protocols. In IEEE OPENARCH'98, Apr. 1998.
 
29
Abraham Yaar , Adrian Perrig , Dawn Song, Pi: A Path Identification Mechanism to Defend against DDoS Attacks, Proceedings of the 2003 IEEE Symposium on Security and Privacy, p.93, May 11-14, 2003

CITED BY  4
Sagy Bar , Mira Gonen , Avishai Wool, A geographic directed preferential internet topology model, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.14, p.4174-4188, October, 2007
Craig A. Shue , Minaxi Gupta , Matthew P. Davy, Packet forwarding with source verification, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.52 n.8, p.1567-1582, June, 2008
Jun Li , Jelena Mirkovic , Toby Ehrenkranz , Mengqiu Wang , Peter Reiher , Lixia Zhang, Learning the valid incoming direction of IP packets, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.52 n.2, p.399-417, February, 2008
Toby Ehrenkranz , Jun Li, On the state of IP spoofing defense, ACM Transactions on Internet Technology (TOIT), v.9 n.2, p.1-29, May 2009

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.2 Network Protocols
          Subjects: Routing protocols
          Nouns: IP


General Terms:
Algorithms, Security


Keywords:
BGP anti-spoofing extension, DDoS attack, IP spoofing, packet marking and filtering

Collaborative Colleagues:
Heejo Lee: colleagues
Minjin Kwon: colleagues
Geoffrey Hasker: colleagues
Adrian Perrig: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player