Abstract
Since a lot of the networks do not apply source IP filtering to its outgoing traffic, an attacker may insert an arbitrary source IP address in an outgoing packet, i.e., IP address spoofing. This paper elaborates on a possibility to detect the spoofing in a large network peering with other networks. A proposed detection scheme is based on an analysis of NetFlow data collected at the entry points in the network. The scheme assumes that the network traffic originating from a certain source network enters the network under surveillance via a relatively stable set of points. The scheme has been tested on data from the real network.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Belenky, A., Ansari, N.: IP traceback with deterministic packet marking. IEEE Communications Letters 7(4), 162–164 (2003)
Bremler-barr, A., Levy, H.: Spoofing prevention method. In: Proc. of IEEE INFOCOM (March 2005)
Dan, A.M., Usc/isi, D.M., Felix, S., Ucdavis, W., Ucla, L.Z., Wu, C.S.F.: On Design and Evaluation of “Intention-Driven” ICMP Traceback. In: Proceedings of IEEE ICCCN (October 2001)
Ferguson, P., Senie, D.: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2827 (May 2000)
fprobe: fprobe (March 2011), http://fprobe.sourceforge.net
INVEA-TECH: Flowmon (March 2011), http://www.invea-tech.com/products/flowmon
Jin, C., Wang, H., Shin, K.G.: Hop-count filtering: an effective defense against spoofed DDoS traffic. In: Proceedings of ACM CCS 2003 (October 2003)
Li, J., Mirkovic, J., Ehrenkranz, T., Wang, M., Reiher, P., Zhang, L.: Learning the valid incoming direction of IP packets. Comput. Netw. 52(2), 399–417 (2008)
Lyon, G.F.: Nmap Network Scanning. Insecure, USA (2008)
Peng, T., Leckie, C.: Adjusted Probabilistic Packet Marking for IP Traceback. In: Gregori, E., Conti, M., Campbell, A.T., Omidyar, G., Zukerman, M. (eds.) NETWORKING 2002. LNCS, vol. 2345, pp. 697–708. Springer, Heidelberg (2002)
Peng, T., Leckie, C., Ramamohanarao, K.: Proactively detecting distributed denial of service attacks using source IP address monitoring. In: Mitrou, N.M., Kontovasilis, K., Rouskas, G.N., Iliadis, I., Merakos, L. (eds.) NETWORKING 2004. LNCS, vol. 3042, pp. 771–782. Springer, Heidelberg (2004)
Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical network support for IP traceback. SIGCOMM Comput. Commun. Rev. 30(4), 295–306 (2000)
Shen, Y., Bi, J., Wu, J., Liu, Q.: A two-level source address spoofing prevention based on automatic signature and verification mechanism. In: Computers and Communications, ISCC 2008, pp. 392–397 (July 2008)
Song, D.X., Perrig, A.: Advanced and authenticated marking schemes for IP traceback. In: Proceedings of INFOCOM 2001, vol. 2 (April 2001)
Strayer, W.T., Jones, C.E., Tchakountio, F., Hain, R.R.: SPIE-IPv6: Single IPv6 Packet Traceback. In: Proceedings of LCN 2004, Washington, DC, USA (November 2004)
Systems, C.: NetFlow Services Solutions Guide (July 2007), http://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/products_implementation_design_guide09186a00800d6a11.html#wp1030098
Team Cymru Inc.: The bogon reference (April 2012), http://www.team-cymru.org/Services/Bogons/
Wang, H., Jin, C., Shin, K.G.: Defense against spoofed IP traffic using hop-count filtering. IEEE/ACM Trans. Netw. 15(1) (February 2007)
Wanner, R.: Session Hijacking in Windows Networks. SANS Inst. (October 2006), http://www.sans.org/reading_room/whitepapers/windows/session-hijacking-windows-networks_2124
Xie, L., Bi, J., Wu, J.: An authentication based source address spoofing prevention method deployed in iPv6 edge network. In: Shi, Y., van Albada, G.D., Dongarra, J., Sloot, P.M.A. (eds.) ICCS 2007, Part IV. LNCS, vol. 4490, pp. 801–808. Springer, Heidelberg (2007)
Zuquete, A.: Improving the functionality of SYN cookies. In: Proc. of IFIP TC6/TC11 Communications and Multimedia Security, pp. 57–77 (September 2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Kováčik, M., Kajan, M., Žádník, M. (2013). Detecting IP Spoofing by Modelling History of IP Address Entry Points. In: Doyen, G., Waldburger, M., Čeleda, P., Sperotto, A., Stiller, B. (eds) Emerging Management Mechanisms for the Future Internet. AIMS 2013. Lecture Notes in Computer Science, vol 7943. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38998-6_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-38998-6_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38997-9
Online ISBN: 978-3-642-38998-6
eBook Packages: Computer ScienceComputer Science (R0)