Welcome to the new version of CaltechAUTHORS. Login is currently restricted to library staff. If you notice any issues, please email coda@library.caltech.edu
Published February 2007 | public
Journal Article Open

Defense Against Spoofed IP Traffic Using Hop-Count Filtering

Abstract

IP spoofing has often been exploited by Distributed Denial of Service (DDoS) attacks to: 1)conceal flooding sources and dilute localities in flooding traffic, and 2)coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near victim servers is essential to their own protection and prevention of becoming involuntary DoS reflectors. Although an attacker can forge any field in the IP header, he cannot falsify the number of hops an IP packet takes to reach its destination. More importantly, since the hop-count values are diverse, an attacker cannot randomly spoof IP addresses while maintaining consistent hop-counts. On the other hand, an Internet server can easily infer the hop-count information from the Time-to-Live (TTL) field of the IP header. Using a mapping between IP addresses and their hop-counts, the server can distinguish spoofed IP packets from legitimate ones. Based on this observation, we present a novel filtering technique, called Hop-Count Filtering (HCF)-which builds an accurate IP-to-hop-count (IP2HC) mapping table-to detect and discard spoofed IP packets. HCF is easy to deploy, as it does not require any support from the underlying network. Through analysis using network measurement data, we show that HCF can identify close to 90% of spoofed IP packets, and then discard them with little collateral damage. We implement and evaluate HCF in the Linux kernel, demonstrating its effectiveness with experimental measurements.

Additional Information

© Copyright 2007 IEEE. Reprinted with permission. Manuscript received October 4, 2004; revised September 19, 2005, and December 19, 2005; approved by IEEE/ACM TRANSACTIONS ON NETWORKING Editor D. Yau. [Posted online: 2007-02-20] This work was supported in part by the National Science Foundation under Grants CCR-0329629 and CNS-052392 and by the Office of Naval Research under Grant N00014-04-10726. This paper was previously presented in part at the 10th ACM Conference on Computer and Communications Security, CCS 2003, Washington, D.C.

Files

WANiatnet07.pdf
Files (781.5 kB)
Name Size Download all
md5:ad7040428881877a4275ef3baec3504c
781.5 kB Preview Download

Additional details

Created:
August 22, 2023
Modified:
October 16, 2023