IP spoofing accompanies many malicious activities and is even means for performing reflector DDoS attacks. Route-based filtering (RBF) enables a router to filter spoofed packets based on their incoming interface - this information is stored in an incoming table. Packets arriving on the expected incoming interface for their source address are considered legitimate, while all the other packets are filtered as spoofed. Past research has shown that RBF can be very effective when deployed at the vertex cover of the Internet AS-map (about 1500 ASes) but no practical approach has been proposed for incoming table construction.
We first show that RBF achieves high effectiveness even if the number of deploying points is very small (30 chosen deployment points reduce the amount of the spoofed Internet traffic to 5%). We further show that completeness of the incoming tables is critical for filtering effectiveness - partially full tables are as good as empty. This implies that routers cannot rely on reports of a few participating domains to build their incoming tables, but instead must devise means of accurately "guessing" incoming interface information for all traffic they see. Their guessing strategy must quickly react to offending traffic and determine with high accuracy whether the reason for the offense was a route change (in which case incoming interface information must be updated) or spoofing.
We next propose a protocol called Clouseau which builds accurate incoming tables at RBF routers, and keeps these tables up to date in face of frequent route changes. Clouseau infers incoming table information by applying randomized drops to offending TCP traffic and observing its retransmission behavior. No communication is required with packet sources or other RBF routers, which makes Clouseau suitable for partial deployment. The inference process is further resilient to subversion by an attacker who is familiar with the design of Clouseau.
Jelena Mirkovic received her B.Sc at University of Belgrade, Serbia and Montenegro in 1998 and her MS and PhD at UCLA in 2000 and 2003. In 2003, she joined University of Delaware as an assistant professor. Her research investigates distributed denial-of-service detection and defense, IP spoofing and Internet worms, and is supported by NSF and the Department of Homeland Security.