As the Internet becomes increasingly important as a business infrastructure, the number of attacks on it, especially denial of service (DoS) attacks grows. A DoS attack is an attempt by a person or a group of persons to cripple an online service. Consequen

College of Information Technology

can be greatly limited through cooperative efforts by ISPs, using a basic packet filtering approach called network ingress filtering.

For example, assume that an ISP provides Internet connectivity to a customer network and assigns the customer a fixed set of IP addresses. Assume that the connectivity is provided via the ISP’s router R. To limit IP source address spoofing, the ISP places an ingress (input) filter on the input link of router R, which carries packets from the customer network into the ISP’s network and onto the Internet. The ingress filter is set to forward along all packets with source addresses that belong to the known set of IP addresses assigned to the customer network by the ISP, but the filter discards (and optionally logs as suspicious) all packets that contain source IP addresses that do not match the valid range of the customer’s known IP addresses. Hence, packets with source addresses that could not have legitimately originated from within the customer network will be dropped at the entry point to the ISP’s network.

The widespread use of ingress filtering by all service providers would greatly limit the ability of an attacker to generate attack packets utilizing a broad range of spoofed source addresses, making tracking, and tracing the attacker a much easier task. Any attacker located within the customer network, in our example above, would either have to generate packets that carry the attacker’s legitimate source address or (at worst) spoof a source address that lies within the set of IP addresses assigned to the customer network. So, even in the worst case, an attack originating within the customer network in our example can be traced to some machine in that customer network, simply by reading the source address on the attack packet. With the help of the administrator of the customer network, the search for the attacker can then proceed in a greatly narrowed search space.

3. SPOOFED PACKETS DETECTION METHODS

Detection methods can be classified as those requiring router support, active host-based methods, passive host-based methods, and administrative methods. Administrative methods are the most commonly used methods today. When an attack is observed, security personnel at the attacked site contact the security personnel at the supposed attack site and ask for corroboration. This is extremely inefficient and generally fruitless. An automated method of determining the whether packets are likely to have been spoofed is clearly needed. This section describes a number of such methods.

3.1 Routing methods

Because routers (or IP level switches) can know which IP addresses originate with which network interface, it is possible for them to identify packets that should not have been received by a particular interface. For example, a border router or gateway will know whether addresses are internal to the network or external. If the router receives IP packets with external IP addresses on an internal interface, or it receives IP packets with an internal IP address on an external interface, the packet source is most likely spoofed. In the wake of recent denial-of-service attacks involving spoofed attack packets, ISPs and other network operators have been urged to filter packets using the above-described method. Filtering inbound packets, known as ingress filtering, protects the organization from outside attacks. Similarly, filtering outbound packets prevents internal computers from being involved in spoofing attacks. Such filtering is known as egress filtering. It is interesting to note that if all routers were configured to use ingress and/or egress filtering, attacks would be limited to those staged within an organization or require an attacker to subvert a router. Internal routers with a strong notion of inside/outside can also detect spoofed packets. However, certain network topologies may contain redundant routes making this distinction unclear. In these cases, host based methods (discussed in section 4.2) can be used at the router. A number of IP addresses are reserved by the IANA for special purposes. These are listed in table 1. The addresses in the first group are private addresses and should not be routed beyond a local network. Seeing these on an outside interface may indicate spoofed packets. Depending on the particular site, seeing these on an internal address would also be suspicious. The other addresses in table 1 are special purpose, local only addresses and should never be seen on an outer interface.

Many firewalls look for the packets described in this section. Typically they are dropped when received.

Because firewalls have been a popular security product, research into routing methods has been active. Most all research has been in this area. Routers can also take a more active role in detecting spoofed packets. A number of advanced router projects have dealt with this and spoofed packet traceback.

These are discussed in section 6. We have proposed a number of proactive methods that can be used to detect and prevent spoofed packets.

One limitation of routing methods is that they are effective only when packets pass through them. An attacker on the same subnet as the target could still spoof packets. When the attacker is on the same

CIT - 102 The Sixth Annual U.A.E. Research Conference