13-07-2013, 12:58 PM
Controlling IP Spoofing
Controlling IP.doc (Size: 765 KB / Downloads: 39)
ABSTRACT
The Distributed Denial-of-Service (DDoS) attack is a serious threat to the legitimate use of the Internet. Prevention mechanisms are thwarted by the ability of attackers to forge or spoof the source addresses in IP packets. By employing IP spoofing, attackers can evade detection and put a substantial burden on the destination network for policing attack packets. In this paper, we propose an interdomain packet filter (IDPF) architecture that can mitigate the level of IP spoofing on the Internet. A key feature of our scheme is that it does not require global routing information. IDPFs are constructed from the information implicit in Border Gateway Protocol (BGP) route updates and are deployed in network border routers. We establish the conditions under which the IDPF framework correctly works in that it does not discard packets with valid source addresses. Based on extensive simulation studies, we show that, even with partial employment on the Internet, IDPFs can proactively limit the spoofing capability of attackers. In addition, they can help localize the origin of an attack packet to a small number of candidate networks.
INTRODUCTION
Project Overview:
IP spoofing can evade detection and put a substantial burden on the destination network for policing attack packets from the attackers. In this Project, we propose an inter domain packet filter (IDPF) architecture that can mitigate the level of IP spoofing on the Internet. A key feature of our scheme is that it does not require global routing information. IDPFs are constructed from the information implicit in Border Gateway Protocol (BGP) route updates and are deployed in network border routers. We establish the conditions under which the IDPF framework correctly works in that it does not discard packets with valid source addresses. Based on extensive simulation studies, we show that, even with partial employment on the Internet, IDPFs can proactively limit the spoofing capability of attackers.
Project Description:
Packets sent using the IP protocol include the IP address of the sending host. The recipient directs replies to the sender using this source address. However, the correctness of this address is not verified by the protocol. The IP protocol specifies no method for validating the authenticity of the packet’s source. This implies that an attacker can forge the source address to be any desired. This is almost exclusively done for malicious or at least inappropriate purposes. Given that attackers can exploit this weakness for many attacks, it would be beneficial to know if network traffic has spoofed source addresses.
PROPOSED SYSTEM:
Definition1: (stable routing state). A routing system is in aStable state if all the nodes have selected a best route to reach other nodes and no route updates are generated (or propagated).
Definition 2: (route-based packet filtering). Node v accepts packet M(s, d) that is forwarded from node u if and only if e(u,v) belongs to R(s,d). Otherwise, the source address of the packet is spoofed, and the packet is discarded by v.
IDPF WORKING:
IDPFs are completely oblivious to the specifics of the announced routes. Following a network failure, the set of feasible upstream neighbors will not admit more members during the period of routing convergence, assuming that AS relationships are static, which is true in most cases. Hence, for the first type of routing dynamics (network failure), there is no possibility that the filters will block a valid packet. We illustrate this as follows: Consider an IDPF-enabled AS v that is on the best route from s to d. Let u = bestU(s; d; v) and U = feasibleU(s; d; v).A link or router failure between u and s can have three outcomes: 1) ASu can still reach ASs, and u is still chosen to be the best upstream neighbor for packet M(s; d), that is, u =bestU(s; d; v). In this situation, although u may explore and announce multiple routes to v during the path exploration process [30], the filtering function of v is unaffected. 2) ASuis no longer the best upstream neighbor for packet M(s; d), and another feasible upstream neighbor U can reach AS s and is instead chosen to be the new best upstream neighbor (for M(s; d). Now, both u and u0 may explore multiple routes; however, since u0 has already announced a route (about s) to v, the IDPF at v can correctly filter (that is, accept) packetM(s; d), which is forwarded from u0. 3) No feasible upstream neighbors can reach s. Consequently, AS v will also not be able to reach s, and v will no longer be on the best route between s and d. No new packet M(s; d) should be sent through v.
IMPLEMENTATION AND DISCUSSION
The key contributions of this paper are given as follows: First, we describe how we can practically construct IDPFs at an AS by only using the information in the locally exchanged BGP updates. Second, we establish the conditions under which the proposed IDPF framework works correctly in that it does not discard packets with valid source addresses. The results show that, even with partial deployment, the architecture can proactively limit an attacker’s ability to spoof packets. When spoofed packet can be stopped, IDPFs can help localize the attacker to a small number of candidates ASs, which can significantly improve the IP trace back situation.
Activity Diagram:
Activity diagrams are typically used for business process modeling, for modeling the logic captured by a single use case or usage scenario, or for modeling the detailed logic of a business rule. Although UML activity diagrams could potentially model the internal logic of a complex operation it would be far better to simply rewrite the operation so that it is simple enough that you don’t require an activity diagram. In many ways UML activity diagrams are the object-oriented equivalent of flow charts and data flow diagrams (DFDs) from structured development.