Posts: 692
Threads: 512
Joined: Nov 2009
CONSTRUCTING INTER-DOMAIN PACKET FILTERS TO CONTROL IP SPOOFING BASED ON BGP UPDATES-- DEPENDABLE AND SECURE COMPUTING
Abstract: The Distributed Denial-of-Service (DDoS) attack is a serious threat to the legitimate use of the Internet. Prevention mechanisms are thwarted by the ability of attackers to forge or spoof the source addresses in IP packets. By employing IP spoofing, attackers can evade detection and put a substantial burden on the destination network for policing attack packets. In this paper, we propose an inter-domain packet filter (IDPF) architecture that can mitigate the level of IP spoofing on the Internet. A key feature of our scheme is that it does not require global routing information. IDPFs are constructed from the information implicit in Border Gateway Protocol (BGP) route updates and are deployed in network border routers. We establish the conditions under which the IDPF framework correctly works in that it does not discard packets with valid source addresses. Based on extensive simulation studies, we show that, even with partial deployment on the Internet, IDPFs can proactively limit the spoofing capability of attackers. In addition, they can help localize the origin of an attack packet to a small number of candidate networks.
Technology to use:JAVA
Posts: 1,149
Threads: 370
Joined: Jun 2010
[attachment=4514]
This article is presented by:
Zhenhai Duan, Xin Yuan
Department of Computer Science
Florida State University.
Jaideep Chandrashekar
Department of Computer Science
University of Minnesota
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates
Route based packet filtering [K. Park, SIGCOMM 2001]
One can fake the identity, but not the route.
A router can decide whether it is in the path from the source to the destination and drop packets that are not supposed to be there.
Route based packet filtering Requirement:
The router must know the route between any pair of source and destination addresses.
Global topology information
Not available in BGP.
Is it possible to build route based packet filters from BGP updates?
If it is possible, what is the performance?
BGP:
Autonomous Systems (ASes) are the basic units
The network can be modeled as an AS graph
Nodes are ASes and edges are BGP sessions
Nodes own network prefixes and exchange BGP route updates to learn the reachability of prefixes
Attributes associated with routes: AS path, prefix.
Policy based routing:
Import
Route selection
Export
BGP:
Routing policies are usually decided by the AS relation
Provider-customer
Peer-peer
Sibling-sibling
Posts: 4,190
Threads: 817
Joined: Feb 2012
to get information about the topic Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates full report ppt and related topic refer the page link bellow
http://studentbank.in/report-constructin...ates--5836