Professional Documents
Culture Documents
Idpf (EDocFind (1) .Com)
Idpf (EDocFind (1) .Com)
Zhenhai Duan, Xin Yuan Department of Computer Science Florida State University Jaideep Chandrashekar Department of Computer Science University of Minnesota
IP spoofing:
B
X D
Forging the source address Used by many popular DDOS attacks Making it difficulty to defend again attacks.
X D
One can fake the identity, but not the route. A router can decide whether it is in the path from the source to the destination and drop packets that are not supposed to be there. Route based packet filter cannot completely eliminate IP spoofing, however, it can significantly reduce it.
Is it possible to infer the feasible route information from BGP updates? If it is possible, what is the performance?
BGP basic:
Autonomous Systems (AS) are the basic units
The network can be modeled as an AS graph Nodes are ASes and edges are BGP sessions Nodes own network prefixes and exchange BGP route updates to learn the reachability of prefixes Attributes associated with routes: AS path, prefix.
BGP basic:
An incremental protocol: updates are generated only in response to network events. Policy based routing:
Import Route selection Export
BGP basic:
AS relationships and routing policy:
Provider-customer Peer-peer Sibling-sibling
BGP basic:
Property of BGP routes:
Uphill path: customer-provider edges or sibling-sibling edges Downhill path: provider-customer edges or sibling-sibling edge Theorem 1 (Gao [17]): If all Ases set their export policies according to r1-r4, BGP routes belong to one of the following:
An uphill path A downhill path An uphill path followed by a downhill path An uphill path followed by a peer-peer edge A peer-to-peer edge followed by a downhill path An uphill path followed by a peer-to-peer edge followed by a downhill path.
Import rules:
If u is a feasible upstream neighbor of v for packet M(u, d), node u must have exported to v its best route to reach s.
IDPFs:
Performance:
IDPF finds a set of feasible paths instead of one best route, its performance will not be as good as the ideal route based filters [Park 2001] Important question: How many ASes must deploy IDPF to be effective? IDPF has two effects
Reducing the number of prefixes that can be spoofed Localizing the source of spoofed packets
Performance metrics:
Data Set:
4 AS graphs from the BGP data achieved by the Oregon Route Views Project.
Experimental setting
Determine the feasible paths based on update logs. Use shortest path as the route (add if the shortest path is not a feasible path) Selecting nodes that deploy IDPF
Random (rnd30/rnd50) Vertex cover If not mentioned specifically, IDPF nodes also have network ingress filtering.
Conclusion:
We proposed and studied IDPF IDPF can limit the spoofing capability of attackers even when partially deployed and improves the accuracy of IP traceback IDPF provides local incentives for deployment.