TY - GEN
T1 - BASE
T2 - 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07
AU - Lee, Heejo
AU - Kwon, Minjin
AU - Hasker, Geoffrey
AU - Perrig, Adrian
PY - 2007
Y1 - 2007
N2 - DoS attacks use IP spoofing to forge the source IP address of packets, and thereby hide the identity of the source. This makes it hard to defend against DoS attacks, so IP spoofing will still be used as an aggressive attack mechanism even under distributed attack environment. While many IP spoofing prevention techniques have been proposed, none have achieved widespread real-world use. One main reason is the lack of properties favoring incremental deployment, an essential component for the adoption of new technologies. A viable solution needs to be not only technically sound but also economically acceptable. An incrementally deploy-able protocol should have three properties: initial benefits for early adopters, incremental benefits for subsequent adopters, and effectiveness under partial deployment. Since no previous anti-spoofing solution satisfies all three of these properties, we propose a new mechanism called "BGP Anti-Spoofing Extension" (BASE). The BASE mechanism is an anti-spoofing protocol designed to fulfill the incremental deployment properties necessary for adoption in current Internet environments. Based on simulations we ran using a model of Internet AS connectivity, BASE shows desirable IP spoofing prevention capabilities under partial deployment. We find that just 30% deployment can drop about 97% of attack packets. Therefore, BASE not only provides adopters' benefit but also outperforms previous anti-spoofing mechanisms.
AB - DoS attacks use IP spoofing to forge the source IP address of packets, and thereby hide the identity of the source. This makes it hard to defend against DoS attacks, so IP spoofing will still be used as an aggressive attack mechanism even under distributed attack environment. While many IP spoofing prevention techniques have been proposed, none have achieved widespread real-world use. One main reason is the lack of properties favoring incremental deployment, an essential component for the adoption of new technologies. A viable solution needs to be not only technically sound but also economically acceptable. An incrementally deploy-able protocol should have three properties: initial benefits for early adopters, incremental benefits for subsequent adopters, and effectiveness under partial deployment. Since no previous anti-spoofing solution satisfies all three of these properties, we propose a new mechanism called "BGP Anti-Spoofing Extension" (BASE). The BASE mechanism is an anti-spoofing protocol designed to fulfill the incremental deployment properties necessary for adoption in current Internet environments. Based on simulations we ran using a model of Internet AS connectivity, BASE shows desirable IP spoofing prevention capabilities under partial deployment. We find that just 30% deployment can drop about 97% of attack packets. Therefore, BASE not only provides adopters' benefit but also outperforms previous anti-spoofing mechanisms.
KW - BGP anti-spoofing extension
KW - DDoS attack
KW - IP spoofing
KW - Packet marking and filtering
UR - http://www.scopus.com/inward/record.url?scp=34748852577&partnerID=8YFLogxK
U2 - 10.1145/1229285.1229293
DO - 10.1145/1229285.1229293
M3 - Conference contribution
AN - SCOPUS:34748852577
SN - 1595935746
SN - 9781595935748
T3 - Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07
SP - 20
EP - 31
BT - Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07
Y2 - 20 March 2007 through 22 March 2007
ER -