02-06-2012, 03:30 PM
Comparative Evaluation of Spoofing Defenses
Comparative Evaluation of Spoofing Defenses.pdf (Size: 491.21 KB / Downloads: 31)
INTRODUCTION
IP spoofing has been used in distributed denial-of-service
(DDoS) attacks and intrusions. It is also necessary for reflector
DDoS attacks, where servers reply to spoofed requests
and these replies overwhelm the victim whose address was
misused.
A. Spoofing Is an Open Problem:
Some researchers believe that spoofing is not an open
problem based on: (1) the Spoofer project’s study [1] that
estimates that 80% of networks deploy ingress filtering and
(2) prevalence of non-spoofed DDoS attacks. We now argue
to the contrary.
ANALYSIS OF DEFENSE EFFECTIVENESS
Let IProut and IPv4 be the set of globally routable and all
IP addresses, respectively. During the analysis, we observe the
Internet as a directed, connected graph whose nodes are routers
or autonomous systems, and whose links are determined
by routing protocols. We consider packets sent from source
address s 2 IProut to destination address d 2 IProut; d 6= s,
spoofing the address p 2 IPv4, p 6= s. In the analysis, we
investigate factors that determine the portion of possible fs,
d, pg combinations filtered by some defense.
DEFENSE PERFORMANCE MEASURES
There are three dimensions of spoofing: spoofed addresses
(p), sources of spoofed traffic (s) and its targets (d). The main
goal of a spoofing defense is to provide protection to targets
against spoofed and reflected traffic. We express this through
the target protection and reflector attack protection measures,
respectively.
When we evaluate these measures we will assume that
the remaining two dimensions – fs, pg in case of target
protection and fs, dg in case of reflector attack protection
– are distributed uniformly at random in the IPv4 space. We
do this because we cannot predict which addresses may be
spoofed and towards which targets.
DEFENSE EVALUATION METHOD
We evaluate effectiveness of the proposed defenses by first
reproducing the Internet’s autonomous system (AS) map using
the connectivity and AS relationship information inferred
for May 2005 via the approach described in [13]. We then
use No-Valley-Customer-Prefer approach [15] to infer routing
behavior from AS relationships. During evaluation we calculate
parameter tables for each defense, generate packets that
traverse fs; d; pg parameter space, and calculate performance
measures defined in Section III. We now first discuss different
inference approaches for the AS connectivity, relationship and
routing, and we provide arguments for the approach adopted
in this paper. We then explain how the evaluation is performed
and how we specify performance goals for each defense.
Hop-Count Filtering
HCF associates each source with the router hop-count
between it and the filter. Hop-counts are inferred from the
TTLs in packets belonging to established TCP connections.
Since we reproduce Internet topology at the AS-level, we
mimic router-level hop counts by associating a random hop
count chosen from [1–4] inclusively, with each AS-AS link.
A packet’s hop count at a filter is the sum of the hop counts of
traversed AS links. This strategy produces Gaussian hop count
distribution, observed in the real Internet [5], and end-to-end
hop counts lie within observed limits.