An incrementally deployable anti-spoofing mechanism for software-defined networks

Jonghoon Kwon, Dongwon Seo, Minjin Kwon, Heejo Lee, Adrian Perrig, Hyogon Kim

Research output: Contribution to journalArticle

18 Citations (Scopus)

Abstract

Internet attacks often use IP spoofing to forge the source IP address of packets, and thereby hide the identity of the source. It causes many serious security problems such as the difficulty of packet authenticity and IP traceback. While many IP spoofing prevention techniques have been proposed apart from ingress filtering, none have achieved widespread real-world use. One main reason is the lack of properties favoring incremental deployment, an essential component for new technology adoption. An incrementally deployable protocol should have three properties: initial benefits for early adopters, incremental benefits for subsequent adopters, and effectiveness under partial deployment. Since no previous anti-spoofing solution satisfies all three properties, we propose an anti-spoofing mechanism called "BGP-based Anti-Spoofing Extension" (BASE). BASE is an anti-spoofing protocol designed to fulfill the incremental deployment properties. Furthermore, BASE is designed to work in the software-defined networks (SDN). It gives a motivation to network operators to adopt BASE into their network, since the idea of SDN supports the large scale network control with a simple operation. Based on simulations using a model of Internet connectivity, BASE shows desirable IP spoofing prevention capabilities under partial deployment. We find that just 30% deployment can drop about 97% of attack packets. It is shown that BASE not only provides benefits to early adopters, but also outperforms previous anti-spoofing mechanisms.

Original languageEnglish
Pages (from-to)1-20
Number of pages20
JournalComputer Communications
Volume64
DOIs
Publication statusPublished - 2015 Jun 15

Keywords

  • BGP-based anti-spoofing extension
  • Distributed DoS attack
  • IP spoofing prevention
  • Packet marking and filtering
  • SDN security

ASJC Scopus subject areas

  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'An incrementally deployable anti-spoofing mechanism for software-defined networks'. Together they form a unique fingerprint.

  • Cite this