BASE

An incrementally deployable mechanism for viable IP spoofing prevention

Heejo Lee, Minjin Kwon, Geoffrey Hasker, Adrian Perrig

Research output: Chapter in Book/Report/Conference proceedingConference contribution

31 Citations (Scopus)

Abstract

DoS attacks use IP spoofing to forge the source IP address of packets, and thereby hide the identity of the source. This makes it hard to defend against DoS attacks, so IP spoofing will still be used as an aggressive attack mechanism even under distributed attack environment. While many IP spoofing prevention techniques have been proposed, none have achieved widespread real-world use. One main reason is the lack of properties favoring incremental deployment, an essential component for the adoption of new technologies. A viable solution needs to be not only technically sound but also economically acceptable. An incrementally deploy-able protocol should have three properties: initial benefits for early adopters, incremental benefits for subsequent adopters, and effectiveness under partial deployment. Since no previous anti-spoofing solution satisfies all three of these properties, we propose a new mechanism called "BGP Anti-Spoofing Extension" (BASE). The BASE mechanism is an anti-spoofing protocol designed to fulfill the incremental deployment properties necessary for adoption in current Internet environments. Based on simulations we ran using a model of Internet AS connectivity, BASE shows desirable IP spoofing prevention capabilities under partial deployment. We find that just 30% deployment can drop about 97% of attack packets. Therefore, BASE not only provides adopters' benefit but also outperforms previous anti-spoofing mechanisms.

Original languageEnglish
Title of host publicationProceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07
Pages20-31
Number of pages12
DOIs
Publication statusPublished - 2007 Oct 1
Event2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07 - Singapore, Singapore
Duration: 2007 Mar 202007 Mar 22

Other

Other2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07
CountrySingapore
CitySingapore
Period07/3/2007/3/22

Fingerprint

Internet
Network protocols
Acoustic waves
Denial-of-service attack

Keywords

  • BGP anti-spoofing extension
  • DDoS attack
  • IP spoofing
  • Packet marking and filtering

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Software

Cite this

Lee, H., Kwon, M., Hasker, G., & Perrig, A. (2007). BASE: An incrementally deployable mechanism for viable IP spoofing prevention. In Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07 (pp. 20-31) https://doi.org/10.1145/1229285.1229293

BASE : An incrementally deployable mechanism for viable IP spoofing prevention. / Lee, Heejo; Kwon, Minjin; Hasker, Geoffrey; Perrig, Adrian.

Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07. 2007. p. 20-31.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Lee, H, Kwon, M, Hasker, G & Perrig, A 2007, BASE: An incrementally deployable mechanism for viable IP spoofing prevention. in Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07. pp. 20-31, 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07, Singapore, Singapore, 07/3/20. https://doi.org/10.1145/1229285.1229293
Lee H, Kwon M, Hasker G, Perrig A. BASE: An incrementally deployable mechanism for viable IP spoofing prevention. In Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07. 2007. p. 20-31 https://doi.org/10.1145/1229285.1229293
Lee, Heejo ; Kwon, Minjin ; Hasker, Geoffrey ; Perrig, Adrian. / BASE : An incrementally deployable mechanism for viable IP spoofing prevention. Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07. 2007. pp. 20-31
@inproceedings{af3d4574d3dc497fb97e07d7ca0a7cdd,
title = "BASE: An incrementally deployable mechanism for viable IP spoofing prevention",
abstract = "DoS attacks use IP spoofing to forge the source IP address of packets, and thereby hide the identity of the source. This makes it hard to defend against DoS attacks, so IP spoofing will still be used as an aggressive attack mechanism even under distributed attack environment. While many IP spoofing prevention techniques have been proposed, none have achieved widespread real-world use. One main reason is the lack of properties favoring incremental deployment, an essential component for the adoption of new technologies. A viable solution needs to be not only technically sound but also economically acceptable. An incrementally deploy-able protocol should have three properties: initial benefits for early adopters, incremental benefits for subsequent adopters, and effectiveness under partial deployment. Since no previous anti-spoofing solution satisfies all three of these properties, we propose a new mechanism called {"}BGP Anti-Spoofing Extension{"} (BASE). The BASE mechanism is an anti-spoofing protocol designed to fulfill the incremental deployment properties necessary for adoption in current Internet environments. Based on simulations we ran using a model of Internet AS connectivity, BASE shows desirable IP spoofing prevention capabilities under partial deployment. We find that just 30{\%} deployment can drop about 97{\%} of attack packets. Therefore, BASE not only provides adopters' benefit but also outperforms previous anti-spoofing mechanisms.",
keywords = "BGP anti-spoofing extension, DDoS attack, IP spoofing, Packet marking and filtering",
author = "Heejo Lee and Minjin Kwon and Geoffrey Hasker and Adrian Perrig",
year = "2007",
month = "10",
day = "1",
doi = "10.1145/1229285.1229293",
language = "English",
isbn = "1595935746",
pages = "20--31",
booktitle = "Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07",

}

TY - GEN

T1 - BASE

T2 - An incrementally deployable mechanism for viable IP spoofing prevention

AU - Lee, Heejo

AU - Kwon, Minjin

AU - Hasker, Geoffrey

AU - Perrig, Adrian

PY - 2007/10/1

Y1 - 2007/10/1

N2 - DoS attacks use IP spoofing to forge the source IP address of packets, and thereby hide the identity of the source. This makes it hard to defend against DoS attacks, so IP spoofing will still be used as an aggressive attack mechanism even under distributed attack environment. While many IP spoofing prevention techniques have been proposed, none have achieved widespread real-world use. One main reason is the lack of properties favoring incremental deployment, an essential component for the adoption of new technologies. A viable solution needs to be not only technically sound but also economically acceptable. An incrementally deploy-able protocol should have three properties: initial benefits for early adopters, incremental benefits for subsequent adopters, and effectiveness under partial deployment. Since no previous anti-spoofing solution satisfies all three of these properties, we propose a new mechanism called "BGP Anti-Spoofing Extension" (BASE). The BASE mechanism is an anti-spoofing protocol designed to fulfill the incremental deployment properties necessary for adoption in current Internet environments. Based on simulations we ran using a model of Internet AS connectivity, BASE shows desirable IP spoofing prevention capabilities under partial deployment. We find that just 30% deployment can drop about 97% of attack packets. Therefore, BASE not only provides adopters' benefit but also outperforms previous anti-spoofing mechanisms.

AB - DoS attacks use IP spoofing to forge the source IP address of packets, and thereby hide the identity of the source. This makes it hard to defend against DoS attacks, so IP spoofing will still be used as an aggressive attack mechanism even under distributed attack environment. While many IP spoofing prevention techniques have been proposed, none have achieved widespread real-world use. One main reason is the lack of properties favoring incremental deployment, an essential component for the adoption of new technologies. A viable solution needs to be not only technically sound but also economically acceptable. An incrementally deploy-able protocol should have three properties: initial benefits for early adopters, incremental benefits for subsequent adopters, and effectiveness under partial deployment. Since no previous anti-spoofing solution satisfies all three of these properties, we propose a new mechanism called "BGP Anti-Spoofing Extension" (BASE). The BASE mechanism is an anti-spoofing protocol designed to fulfill the incremental deployment properties necessary for adoption in current Internet environments. Based on simulations we ran using a model of Internet AS connectivity, BASE shows desirable IP spoofing prevention capabilities under partial deployment. We find that just 30% deployment can drop about 97% of attack packets. Therefore, BASE not only provides adopters' benefit but also outperforms previous anti-spoofing mechanisms.

KW - BGP anti-spoofing extension

KW - DDoS attack

KW - IP spoofing

KW - Packet marking and filtering

UR - http://www.scopus.com/inward/record.url?scp=34748852577&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=34748852577&partnerID=8YFLogxK

U2 - 10.1145/1229285.1229293

DO - 10.1145/1229285.1229293

M3 - Conference contribution

SN - 1595935746

SN - 9781595935748

SP - 20

EP - 31

BT - Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07

ER -