Science in China Series F: Information Sciences

, Volume 51, Issue 11, pp 1745–1760 | Cite as

MASK: An efficient mechanism to extend inter-domain IP spoofing preventions

Article
First Online:
Received:
Accepted:

Abstract

IP spoofing hinders the efficiency of DDoS defenses. While recent proposals of IP spoofing prevention mechanisms are weak at filtering spoofing packets due to the complexity in maintaining source IP spaces and the low incentive of deployments. To address this problem, we propose an efficient mechanism to extend the range of inter-domain IP spoofing prevention called MASK. Source MASK nodes inform destination MASK nodes about the source IP spaces and labels of their neighbor Stub-ASes in order to implement the marking and verification of packets towards the Stub-ASes, and limit the number of MASK peers through the propagation of BGP updates so as to reduce the overheads of computing and storing of labels. By utilizing the method of extending the spoofing prevention to Stub-ASes, MASK can not only enlarge the domain of the spoofing prevention service, but also filter spoofing packets in advance. Through analysis and simulations, we demonstrate MASK’s accuracy and effectiveness.

Keywords

DDoS IP spoofing prevention BGP 
This is a preview of subscription content, log in to check access.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Beverly R, Bauer S. The spoofer project: inferring the extent of source address filtering on the Internet. In: USENIX SRUTI 2005. Cambridge: USENIX Press, 2005. 53–59Google Scholar
  2. 2.
    Koponen T, Chawla M, Chun B G, et al. A data-oriented (and beyond) network architecture. In: SIGCOMM 2007. Kyoto,: ACM Press, 2007Google Scholar
  3. 3.
    Guha S, Francis P. An end-middle-end approach to connection establishment. In: SIGCOMM 2007. Kyoto, Japan: ACM Press, 2007Google Scholar
  4. 4.
    Duan Z H, Yuan X, Chandrashekar J. Constructing inter-domain packet filters to control IP spoofing based on Bgp updates. In: INFOCOM 2006. Barcelona: IEEE Press, 2007Google Scholar
  5. 5.
    Bremler A, Levy H. Spoofing prevention method. In: INFOCOM 2005. Miami: IEEE Press, 2005Google Scholar
  6. 6.
    Lee H, Park K. On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack. In: INFOCOM 2001. Anchorage: IEEE Press, 2001. 338–347Google Scholar
  7. 7.
    Ferguson P, Senie D. Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing. RFC 2267, January 1998Google Scholar
  8. 8.
    Moore D, Voeker G M, Savage S. Inferring Internet denial-of-service activity. In: USENIX Security Symposium 2001. USENIX Press, 2001. 9–22Google Scholar
  9. 9.
    Zegura E, Calvert K, Donahoo M. A quantitative comparison of graph-based models for Internet topology. IEEE/ACM Trans Netw, 1997, 5(6): 770–783CrossRefGoogle Scholar
  10. 10.
    Lu X C, Zhao J J, Zhu P D. Self-organization of inter-domain routing system (in Chinese). J Software, 2006, 17(9):1922–1932MATHCrossRefGoogle Scholar
  11. 11.
    Rekhter Y, Li T, Hares S, et al. A border gateway protocol 4 (Bgp-4). RFC 4271, January 2006Google Scholar
  12. 12.
    Liu X M, Xiao L. A survey of multihoming technology in stub networks: current research and open issues. IEEE Netw, 2007, 21(3): 32–40CrossRefGoogle Scholar
  13. 13.
    Bates T, Rekhter Y. Scalable support for multi-homed multi-provider connectivity. RFC2260, 1998Google Scholar
  14. 14.
    Hagino J, Snyder H. Ipv6 multihoming support at site exit routers. RFC 3178, 2001Google Scholar
  15. 15.
    Wu J P, Bi J, Li X, et al. An end-to-end source address validation solution for Ipv6. Internet Draft, draft-wu-sava-solution-e2e-ipv6-00.txt, February 2007Google Scholar
  16. 16.
    Goodell G, Aiello W, Griffin T, et al. Working around bgp: an incremental approach to improving security and accuracy of interdomain routing. In: NDSSS 2003. San Diego: USENIX Press, 2003Google Scholar
  17. 17.
    Park K, Lee H. On the effectiveness of route-based packet filtering for distributed Dos attack prevention in power-law Internet. In: SIGCOMM 2001. San Diego: ACM Press, 2001. 15–26CrossRefGoogle Scholar
  18. 18.
    Jin C, Wang H, Shin K. Hop-count filtering: an effective defense against spoofed ddos traffic. In: CCS 2003. Washington: ACM Press, 2003. 30–41CrossRefGoogle Scholar
  19. 19.
    Li J, Mirkovic J, Wang M, et al. Save: source address validity enforcement protocol. In: INFOCOM 2002. New York: IEEE Press, 2002. 1557–1566Google Scholar
  20. 20.
    Ferguson P, Wu J P, Bi J, et al. Source address verification architecture problem statement. Internet Draft, draft-savaproblem-statement-01.txt, June 2007Google Scholar

Copyright information

© Science in China Press and Springer-Verlag GmbH 2008

Authors and Affiliations

  • XiCheng Lu
    • 1
  • GaoFeng Lü
    • 1
  • PeiDong Zhu
    • 1
  • YiJiao Chen
    • 1
  1. 1.School of ComputerNational University of Defense TechnologyChangshaChina

Personalised recommendations