CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
CERIAS Logo
Purdue University - Discovery Park
Center for Education and Research in Information Assurance and Security

Clouseau: A practical IP spoofing defense through route-based filtering

Jelena Mirkovic - University of Delaware

Dec 07, 2005

Size: 133.0MB

Download: Video Icon MP4 Video  
Watch in your Browser   Watch on Youtube Watch on YouTube

Abstract

IP spoofing accompanies many malicious activities and is even means for performing reflector DDoS attacks. Route-based filtering (RBF) enables a router to filter spoofed packets based on their incoming interface - this information is stored in an incoming table. Packets arriving on the expected incoming interface for their source address are considered legitimate, while all the other packets are filtered as spoofed. Past research has shown that RBF can be very effective when deployed at the vertex cover of the Internet AS-map (about 1500 ASes) but no practical approach has been proposed for incoming table construction.

We first show that RBF achieves high effectiveness even if the number of deploying points is very small (30 chosen deployment points reduce the amount of the spoofed Internet traffic to 5%). We further show that completeness of the incoming tables is critical for filtering effectiveness - partially full tables are as good as empty. This implies that routers cannot rely on reports of a few participating domains to build their incoming tables, but instead must devise means of accurately "guessing" incoming interface information for all traffic they see. Their guessing strategy must quickly react to offending traffic and determine with high accuracy whether the reason for the offense was a route change (in which case incoming interface information must be updated) or spoofing.

We next propose a protocol called Clouseau which builds accurate incoming tables at RBF routers, and keeps these tables up to date in face of frequent route changes. Clouseau infers incoming table information by applying randomized drops to offending TCP traffic and observing its retransmission behavior. No communication is required with packet sources or other RBF routers, which makes Clouseau suitable for partial deployment. The inference process is further resilient to subversion by an attacker who is familiar with the design of Clouseau.

About the Speaker

Jelena Mirkovic received her B.Sc at University of Belgrade, Serbia and Montenegro in 1998 and her MS and PhD at UCLA in 2000 and 2003.
Since 2003, she joined University of Delaware as an assistant professor.
Her research investigates distributed denial-of-service detection and defense, IP spoofing and Internet worms, and is supported by NSF and the Department of Homeland Security.
---------------------------------------------------------------------------

Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52, West Lafayette Campus. More information...

Disclaimer

The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.