An incrementally deployable anti-spoofing mechanism for software-defined networks

Jonghoon Kwon, Dongwon Seo, Minjin Kwon, Heejo Lee, Adrian Perrig, Hyogon Kim

Research output: Contribution to journalArticle

14 Citations (Scopus)

Abstract

Internet attacks often use IP spoofing to forge the source IP address of packets, and thereby hide the identity of the source. It causes many serious security problems such as the difficulty of packet authenticity and IP traceback. While many IP spoofing prevention techniques have been proposed apart from ingress filtering, none have achieved widespread real-world use. One main reason is the lack of properties favoring incremental deployment, an essential component for new technology adoption. An incrementally deployable protocol should have three properties: initial benefits for early adopters, incremental benefits for subsequent adopters, and effectiveness under partial deployment. Since no previous anti-spoofing solution satisfies all three properties, we propose an anti-spoofing mechanism called "BGP-based Anti-Spoofing Extension" (BASE). BASE is an anti-spoofing protocol designed to fulfill the incremental deployment properties. Furthermore, BASE is designed to work in the software-defined networks (SDN). It gives a motivation to network operators to adopt BASE into their network, since the idea of SDN supports the large scale network control with a simple operation. Based on simulations using a model of Internet connectivity, BASE shows desirable IP spoofing prevention capabilities under partial deployment. We find that just 30% deployment can drop about 97% of attack packets. It is shown that BASE not only provides benefits to early adopters, but also outperforms previous anti-spoofing mechanisms.

Original languageEnglish
Pages (from-to)1-20
Number of pages20
JournalComputer Communications
Volume64
DOIs
Publication statusPublished - 2015 Jun 15

Fingerprint

Internet
Network protocols

Keywords

  • BGP-based anti-spoofing extension
  • Distributed DoS attack
  • IP spoofing prevention
  • Packet marking and filtering
  • SDN security

ASJC Scopus subject areas

  • Computer Networks and Communications

Cite this

An incrementally deployable anti-spoofing mechanism for software-defined networks. / Kwon, Jonghoon; Seo, Dongwon; Kwon, Minjin; Lee, Heejo; Perrig, Adrian; Kim, Hyogon.

In: Computer Communications, Vol. 64, 15.06.2015, p. 1-20.

Research output: Contribution to journalArticle

Kwon, Jonghoon ; Seo, Dongwon ; Kwon, Minjin ; Lee, Heejo ; Perrig, Adrian ; Kim, Hyogon. / An incrementally deployable anti-spoofing mechanism for software-defined networks. In: Computer Communications. 2015 ; Vol. 64. pp. 1-20.
@article{ab143e9e1a774f9490043264dde691f8,
title = "An incrementally deployable anti-spoofing mechanism for software-defined networks",
abstract = "Internet attacks often use IP spoofing to forge the source IP address of packets, and thereby hide the identity of the source. It causes many serious security problems such as the difficulty of packet authenticity and IP traceback. While many IP spoofing prevention techniques have been proposed apart from ingress filtering, none have achieved widespread real-world use. One main reason is the lack of properties favoring incremental deployment, an essential component for new technology adoption. An incrementally deployable protocol should have three properties: initial benefits for early adopters, incremental benefits for subsequent adopters, and effectiveness under partial deployment. Since no previous anti-spoofing solution satisfies all three properties, we propose an anti-spoofing mechanism called {"}BGP-based Anti-Spoofing Extension{"} (BASE). BASE is an anti-spoofing protocol designed to fulfill the incremental deployment properties. Furthermore, BASE is designed to work in the software-defined networks (SDN). It gives a motivation to network operators to adopt BASE into their network, since the idea of SDN supports the large scale network control with a simple operation. Based on simulations using a model of Internet connectivity, BASE shows desirable IP spoofing prevention capabilities under partial deployment. We find that just 30{\%} deployment can drop about 97{\%} of attack packets. It is shown that BASE not only provides benefits to early adopters, but also outperforms previous anti-spoofing mechanisms.",
keywords = "BGP-based anti-spoofing extension, Distributed DoS attack, IP spoofing prevention, Packet marking and filtering, SDN security",
author = "Jonghoon Kwon and Dongwon Seo and Minjin Kwon and Heejo Lee and Adrian Perrig and Hyogon Kim",
year = "2015",
month = "6",
day = "15",
doi = "10.1016/j.comcom.2015.03.003",
language = "English",
volume = "64",
pages = "1--20",
journal = "Computer Communications",
issn = "0140-3664",
publisher = "Elsevier",

}

TY - JOUR

T1 - An incrementally deployable anti-spoofing mechanism for software-defined networks

AU - Kwon, Jonghoon

AU - Seo, Dongwon

AU - Kwon, Minjin

AU - Lee, Heejo

AU - Perrig, Adrian

AU - Kim, Hyogon

PY - 2015/6/15

Y1 - 2015/6/15

N2 - Internet attacks often use IP spoofing to forge the source IP address of packets, and thereby hide the identity of the source. It causes many serious security problems such as the difficulty of packet authenticity and IP traceback. While many IP spoofing prevention techniques have been proposed apart from ingress filtering, none have achieved widespread real-world use. One main reason is the lack of properties favoring incremental deployment, an essential component for new technology adoption. An incrementally deployable protocol should have three properties: initial benefits for early adopters, incremental benefits for subsequent adopters, and effectiveness under partial deployment. Since no previous anti-spoofing solution satisfies all three properties, we propose an anti-spoofing mechanism called "BGP-based Anti-Spoofing Extension" (BASE). BASE is an anti-spoofing protocol designed to fulfill the incremental deployment properties. Furthermore, BASE is designed to work in the software-defined networks (SDN). It gives a motivation to network operators to adopt BASE into their network, since the idea of SDN supports the large scale network control with a simple operation. Based on simulations using a model of Internet connectivity, BASE shows desirable IP spoofing prevention capabilities under partial deployment. We find that just 30% deployment can drop about 97% of attack packets. It is shown that BASE not only provides benefits to early adopters, but also outperforms previous anti-spoofing mechanisms.

AB - Internet attacks often use IP spoofing to forge the source IP address of packets, and thereby hide the identity of the source. It causes many serious security problems such as the difficulty of packet authenticity and IP traceback. While many IP spoofing prevention techniques have been proposed apart from ingress filtering, none have achieved widespread real-world use. One main reason is the lack of properties favoring incremental deployment, an essential component for new technology adoption. An incrementally deployable protocol should have three properties: initial benefits for early adopters, incremental benefits for subsequent adopters, and effectiveness under partial deployment. Since no previous anti-spoofing solution satisfies all three properties, we propose an anti-spoofing mechanism called "BGP-based Anti-Spoofing Extension" (BASE). BASE is an anti-spoofing protocol designed to fulfill the incremental deployment properties. Furthermore, BASE is designed to work in the software-defined networks (SDN). It gives a motivation to network operators to adopt BASE into their network, since the idea of SDN supports the large scale network control with a simple operation. Based on simulations using a model of Internet connectivity, BASE shows desirable IP spoofing prevention capabilities under partial deployment. We find that just 30% deployment can drop about 97% of attack packets. It is shown that BASE not only provides benefits to early adopters, but also outperforms previous anti-spoofing mechanisms.

KW - BGP-based anti-spoofing extension

KW - Distributed DoS attack

KW - IP spoofing prevention

KW - Packet marking and filtering

KW - SDN security

UR - http://www.scopus.com/inward/record.url?scp=84930091389&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84930091389&partnerID=8YFLogxK

U2 - 10.1016/j.comcom.2015.03.003

DO - 10.1016/j.comcom.2015.03.003

M3 - Article

AN - SCOPUS:84930091389

VL - 64

SP - 1

EP - 20

JO - Computer Communications

JF - Computer Communications

SN - 0140-3664

ER -