Abstract
IP spoofing has often been exploited by Distributed Denial of Service (DDoS) attacks to: 1) conceal flooding sources and dilute localities in flooding traffic, and 2) coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near victim servers is essential to their own protection and prevention of becoming involuntary DoS reflectors. Our scheme is based on a firewall that can distinguish the attack packets (containing spoofed source addresses) from the packets sent by legitimate users, and thus filters out most of the attack packets before they reach the victim. We estimate that an implementation of this scheme would require the cooperation of only about 20% of the Internet routers in the marking process. The scheme allows the firewall system to configure itself based on the normal traffic of a Web server, so that the occurrence of an attack can be quickly and precisely detected. By this cryptographic approach, we aim at combining both the existing approaches namely, Victim Based and Router Based approaches against IP spoofing thereby enhancing the speed of detection and prevention of IP spoofed packed.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Wang, H., Jin, C., Shin, K.G.: Defense against Spoofed IP Traffic using Hop Count Filtering. IEEE transactions on networking (February 2007)
Wang, W., Gombault, S.: Efficient Detection of DDoS Attacks with Important Attributes. ©2008 IEEE Transactions on Secure computing (2008)
Yaar, A.P., Song, D.: Pi: A path identification mechanism to defend against DDoS attacks. In: Proceedings of the IEEE Symposium on Security and Privacy, May 2003, pp. 93–109 (2003)
Song, D.X., Perrig, A.: Advanced and authenticated marking schemes for IP traceback. In: Proceedings of IEEE INFOCOM 2001, April 2001, pp. 878–886 (2001)
Beak, C., Chaudhry, J.A., Lee, K., Park, S., Kim, M.: A Novel Packet Marketing Method in DDoS Attack Detection. American Journal of Applied Sciences 4(10), 741–745 (2007)
Song, D., Perrig, A.: Advanced and authenticated marking schemes for IP traceback. In: Proc. IEEE INFOCOM, vol. 2, pp. 878–886 (2001)
Chen, Y., Das, S., Dhar, P., Saddik, A.E., Nayak, A.: An effective defence mechanism against massively distributed denial of service attacks. In: The 9th World Conference on Integrated Design & Process Technology (IDPT 2006), SanDiego (June 2006)
Belenky, A., Ansari, N.: Tracing multiple attackers with deterministic packet marking (DPM). In: 2003 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM 2003), August 2003, pp. 49–52 (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ravi, M., Narasimman, S., Kumar, G.K.A., Karthikeyan, D. (2010). A Cryptographic Approach to Defend against IP Spoofing. In: Das, V.V., et al. Information Processing and Management. BAIP 2010. Communications in Computer and Information Science, vol 70. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-12214-9_47
Download citation
DOI: https://doi.org/10.1007/978-3-642-12214-9_47
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-12213-2
Online ISBN: 978-3-642-12214-9
eBook Packages: Computer ScienceComputer Science (R0)