VASE: Filtering IP spoofing traffic with agility

Authors:
Guang Yao;Jun Bi;Peiyao Xiao
Affiliations:
Tsinghua University, FIT Building Room 4-204, Beijing 100084, China;Tsinghua University, FIT Building Room 4-204, Beijing 100084, China;Tsinghua University, FIT Building Room 4-204, Beijing 100084, China
Venue:
Computer Networks: The International Journal of Computer and Telecommunications Networking
Year:
2013

Citing 12
Cited 0

On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets

Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Measuring ISP topologies with rocketfuel

IEEE/ACM Transactions on Networking (TON)
A first-principles approach to understanding the internet's router-level topology

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
A clean slate 4D approach to network control and management

ACM SIGCOMM Computer Communication Review
Inferring Internet denial-of-service activity

ACM Transactions on Computer Systems (TOCS)
Defense against spoofed IP traffic using hop-count filtering

IEEE/ACM Transactions on Networking (TON)
Ethane: taking control of the enterprise

Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
OpenFlow: enabling innovation in campus networks

ACM SIGCOMM Computer Communication Review
Passport: secure and adoptable source authentication

NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Understanding the efficacy of deployed internet source address validation filtering

Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
OpenRouter: OpenFlow extension and implementation based on a commercial router

ICNP '11 Proceedings of the 2011 19th IEEE International Conference on Network Protocols
Routing of multipoint connections

IEEE Journal on Selected Areas in Communications

Quantified Score

Hi-index	0.00

Visualization

Abstract

Filtering out traffic with forged source address on routers can significantly improve the security of Internet. However, despite intermittent IP spoofing attacks, existing filtering mechanisms inspect each packet all the time, consuming considerable resource on routers even there is no spoofing at all. This article considers the requirement for a solution performing IP spoofing filtering with agility, which consumes resource in proportional to the size of attack. A novel IP spoofing filtering mechanism named Virtual Anti-Spoofing Edge (VASE) is proposed in this article. VASE uses sampling and on-demand filter configuration to reduce unnecessary overhead in peace time. The evaluation based on simulation shows VASE has obvious advantages over commonly used mechanisms in various scenarios. VASE is fully compatible with current IP spoofing filtering practices and can be implemented with commodity routers. In the campus network of Tsinghua University, VASE is providing real benefits.