An incrementally deployable anti-spoofing mechanism for software-defined networks

Jonghoon Kwon, Dongwon Seo, Minjin Kwon, Heejo Lee, Adrian Perrig, Hyogon Kim

    Research output: Contribution to journalArticlepeer-review

    25 Citations (Scopus)

    Abstract

    Internet attacks often use IP spoofing to forge the source IP address of packets, and thereby hide the identity of the source. It causes many serious security problems such as the difficulty of packet authenticity and IP traceback. While many IP spoofing prevention techniques have been proposed apart from ingress filtering, none have achieved widespread real-world use. One main reason is the lack of properties favoring incremental deployment, an essential component for new technology adoption. An incrementally deployable protocol should have three properties: initial benefits for early adopters, incremental benefits for subsequent adopters, and effectiveness under partial deployment. Since no previous anti-spoofing solution satisfies all three properties, we propose an anti-spoofing mechanism called "BGP-based Anti-Spoofing Extension" (BASE). BASE is an anti-spoofing protocol designed to fulfill the incremental deployment properties. Furthermore, BASE is designed to work in the software-defined networks (SDN). It gives a motivation to network operators to adopt BASE into their network, since the idea of SDN supports the large scale network control with a simple operation. Based on simulations using a model of Internet connectivity, BASE shows desirable IP spoofing prevention capabilities under partial deployment. We find that just 30% deployment can drop about 97% of attack packets. It is shown that BASE not only provides benefits to early adopters, but also outperforms previous anti-spoofing mechanisms.

    Original languageEnglish
    Pages (from-to)1-20
    Number of pages20
    JournalComputer Communications
    Volume64
    DOIs
    Publication statusPublished - 2015 Jun 15

    Bibliographical note

    Publisher Copyright:
    © 2015 Elsevier B.V.

    Keywords

    • BGP-based anti-spoofing extension
    • Distributed DoS attack
    • IP spoofing prevention
    • Packet marking and filtering
    • SDN security

    ASJC Scopus subject areas

    • Computer Networks and Communications

    Fingerprint

    Dive into the research topics of 'An incrementally deployable anti-spoofing mechanism for software-defined networks'. Together they form a unique fingerprint.

    Cite this