| ¡¡ | Chinese Journal of Computers Full Text |
| Title | Refining the Inter-Domain IP Spoofing Prevention |
| Authors | LU Gao-Feng SUN Zhi-Gang LU Xi-Cheng |
| Address | (School of Computer Science, National University of Defense Technology, Changsha 410073) |
| Year | 2009 |
| Issue | No.3(552¡ª563) |
| Abstract & Background | Abstract The validation of source IP addresses becomes the key technique for devising a trustworthy network. Inter-domain IP spoofing preventions based on coarse-grained labels of source-destination ASes protect wide domains of ASes and provide high incentives of deployments, however, have the shortcoming that cann¡¯t filter spoofing packets forging other hosts¡¯ IP addresses in the same subnet. IP spoofing preventions based on finegrained labels of source-destination subnets solves the above problem, but the complexity of them is very high. Towards the contradiction between the complexity of preventions and the grain of filtering, a novel mechanism to refine the inter-domain IP spoofing prevention service, RISP, is proposed. Based on the stable of the topology of ASes, RISP introduces unsymmetrical fine-grained labels between source subnets and destination ASes, which could filter spoofing packets orienting from ASes or subnets. Based on the characteristics of the mainstream attacks employing IP spoofing, RISP combines the anomaly detection with IP spoofing preventions, which could trigger dynamic marking, reduce the cost of computing and storing of labels and limit the rates of malicious flows. Keywords IP spoofing prevention; unsymmetrical fine-grained label; dynamic marking; trustworthy network Background DDoS defenses are thwarted by IP spoofing, and by IP spoofing attackers can evade detection and put a substantial burden on destination networks for filtering attack packets. IP spoofing prevention becomes a kind of important network security facility, which detects attacks based on spoofing packets and filters malicious traffic. Although many IP spoofing prevention techniques have been proposed, none of them is widely used in the Internet. IP spoofing prevention mechanisms proposed could not prevent all of network equipments from being attacked and could not filter spoofing packets before their flooding on middle networks. IP spoofing prevention mechanisms are not efficient, and have high cost and low incentive of deployment, which restricts ISPs to deploy IP spoofing prevention mechanisms and causes a serious flaw of Internet. The contradiction between the allocation of IP addresses and the use, such as multihoming and hijacking, increases the complexity of getting the state of domains, and the conflict among management policies of domains enhances the difficulty of cooperating with other domains. End-hosts are vulnerable to spoofing attacks and the cooperating attack employing IP spoofing has a serious influence on Internet, so designing an efficient IP spoofing prevention mechanism turns out to be an important approach to building a trustworthy network. The work of this paper is supported by the National Grand Fundamental Research (973) Program of China (2009CB320503 and 2005CB321801). The research team of this paper has developed some creativity and published many technique papers in journals and proceedings. As a part of the source IP addresses validation, this paper presents a novel approach to refine the IP spoofing prevention service for filtering spoofing packets orienting from the subnets with little overhead of computing and communicating. Based on the stable of the topology of ASes, RISP introduces unsymmetrical fine-grained labels between source subnets and destination ASes, which could filter spoofing packets orienting from ASes or subnets. Based on the characteristics of the mainstream attacks employing IP spoofing, RISP combines the anomaly detection with IP spoofing preventions, which could trigger dynamic marking, reduce the cost of computing and storing of labels and limit the rate of malicious flows. RISP acts as an open platform for detecing and response of attacks, which would support the building of the next generation trustworthy network. Ahead of the work, the authors the mechanism to extend the IP spoofing prevention servercie towards non-members of alliance of spoofing preventions and the mechanism to enhance the the ability of spoofing preventions towards members of alliance of spoofing preventions, which are efficient and scalable mechanisms of inter-domain spoofing preventions. |