TWiki> Repository Web>WeeklyPapersFall07>HopCountFiltering (28 Nov 2007, YingxinJiang)EditAttach

Defense Against Spoofed IP Traffic Using Hop-Count Filtering

Authors: Haining Wang, Cheng Jin, Kang G. Shin

Complete Citation

Haining Wang, Cheng Jin, Kang G. Shin. Defense Against Spoofed IP Traffic Using Hop-Count Filtering. IEEE/ACM Transactions on Networking (TON), Volume: 15, Issue: 1, page(s): 40-53, Feb. 2007 Digital Object Identifier: 10.1109/TNET.2006.890133

Abstract

IP spoofing has often been exploited by Distributed Denial of Service (DDoS? ) attacks to: 1)conceal flooding sources and dilute localities in flooding traffic, and 2)coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near victim servers is essential to their own protection and prevention of becoming involuntary DoS? reflectors. Although an attacker can forge any field in the IP header, he cannot falsify the number of hops an IP packet takes to reach its destination. More importantly, since the hop-count values are diverse, an attacker cannot randomly spoof IP addresses while maintaining consistent hop-counts. On the other hand, an Internet server can easily infer the hop-count information from the Time-to-Live (TTL) field of the IP header. Using a mapping between IP addresses and their hop-counts, the server can distinguish spoofed IP packets from legitimate ones. Based on this observation, we present a novel filtering technique, called Hop-Count Filtering (HCF)-which builds an accurate IP-to-hop-count (IP2HC? ) mapping table-to detect and discard spoofed IP packets. HCF is easy to deploy, as it does not require any support from the underlying network. Through analysis using network measurement data, we show that HCF can identify close to 90% of spoofed IP packets, and then discard them with little collateral damage. We implement and evaluate HCF in the Linux kernel, demonstrating its effectiveness with experimental measurements

Annotations

The fundamental idea is to utilize inherent network information — the number of hops a packet takes to reach its destination — to distinguish spoofed packets from legitimate ones.

Based on hop-count, the paper proposed a filtering technique, called Hop-Count Filtering, to weed out spoofed IP packets at the very beginning of network processing, thus effectively protecting victim servers’ resources from abuse.

  • Hop-count inspection algorithm:
    HopCountAlg.png

NOTE: while HCF is simple and effective in thwarting IP spoofing, it has its own limitations: (1) An attacker may circumvent HCF entirely. (2) Network Address Translator (NAT) boxes and hop-count instability may cause HCF to work inaccurately.

Experimental results (implement HCF in the linux kernel):

  • Resource saving by HCF:
    HopCountResult.png
Attachments Attachments
Topic attachments
I Attachment Action Size Date Who Comment
pngpng HopCountAlg.png manage 17.3 K 28 Nov 2007 - 16:22 YingxinJiang Hop-count inspection algorithm
pngpng HopCountResult.png manage 17.7 K 28 Nov 2007 - 16:27 YingxinJiang Resource saving by HCF
Edit | Attach | Print version | History: r2 < r1 | Backlinks | Raw View | More topic actions
Topic revision: r2 - 28 Nov 2007 - 16:31:46 - YingxinJiang
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback