An incrementally deployable anti-spoofing mechanism for software-defined networks

نویسندگان

  • Jonghoon Kwon
  • Dongwon Seo
  • Minjin Kwon
  • Heejo Lee
  • Adrian Perrig
  • Hyogon Kim
چکیده

Internet attacks often use IP spoofing to forge the source IP address of packets, and thereby hide the identity of the source. It causes many serious security problems such as the difficulty of packet authenticity and IP traceback. While many IP spoofing prevention techniques have been proposed apart from ingress filtering, none have achieved widespread real-world use. One main reason is the lack of properties favoring incremental deployment, an essential component for new technology adoption. An incrementally deployable protocol should have three properties: initial benefits for early adopters, incremental benefits for subsequent adopters, and effectiveness under partial deployment. Since no previous antispoofing solution satisfies all three properties, we propose an anti-spoofing mechanism called ‘‘BGPbased Anti-Spoofing Extension’’ (BASE). BASE is an anti-spoofing protocol designed to fulfill the incremental deployment properties. Furthermore, BASE is designed to work in the software-defined networks (SDN). It gives a motivation to network operators to adopt BASE into their network, since the idea of SDN supports the large scale network control with a simple operation. Based on simulations using a model of Internet connectivity, BASE shows desirable IP spoofing prevention capabilities under partial deployment. We find that just 30% deployment can drop about 97% of attack packets. It is shown that BASE not only provides benefits to early adopters, but also outperforms previous anti-spoofing mechanisms. 2015 Elsevier B.V. All rights reserved.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Two level Authentication and Packet Marking Mechanism for Defending against DoS and DDoS Attacks

Denial of Service (DoS) attacks present a serious problem for Internet communications. IP source address spoofing is used by DoS and DDoS attacks on targeted victim. IP spoofing to forge the source IP address of the packet, and thereby hide the identity of source. This makes hard to detect and defend against such attack. This paper presents a token based authentication and Packet Marking mechan...

متن کامل

Panopticon: Incremental Deployment of Software-Defined Networking

Software-Defined Networking (SDN) has the potential to automate and radically simplify management of computer networks—today a manual, error-prone task. Many networks however, especially enterprise networks, face a deployment problem: How to migrate an existing network to SDN? SDN must be introduced incrementally to build confidence and respect infrastructure budget constraints. In this article...

متن کامل

An Incrementally Deployable Protocol for Learning the Valid Incoming Direction of IP Packets

Routers in today’s Internet do not know which direction a packet with a given source address should come from. This problem not only allows IP spoofing to run wild—as routers cannot check the validity of a packet’s source address based on its incoming direction—but also hinders the reliability of many source-relevant functions at routers, such as per-source fair queuing, source-based traffic ma...

متن کامل

An incrementally deployable path address scheme

The research community has proposed numerous network security solutions, each dealing with a specific problem such as address spoofing, denial-of-service attacks, denial-of-quality attacks, reflection attacks, viruses, orworms.However, due to the lack of fundamental support from the Internet, individual solutions often share little common ground in their design, which causes a practical problem...

متن کامل

SANALDA: A Source Authenticating Network Architecture Limiting DoS Attacks

We present a novel and incrementally deployable network architecture, aiming at preventing IP spoofing and DoS attacks. Our design prevents forged IP packets from entering the network and accessing the destination service, while assuring simple and fast access to compliant users. Our system enforces user authentication on the IP level, periodically stamping each IP packet with a unique, identit...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:
  • Computer Communications

دوره 64  شماره 

صفحات  -

تاریخ انتشار 2015