InFilter: Predictive Ingress Filtering to Detect Spoofed IP Traffic

Ghosh, Abhijeet; Wong, Larry; Crescenzo, Giovanni Di; Talpade, Rajesh

doi:10.1109/icdcsw.2005.78

Cited by 4 publications

(4 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is an extension of the hypothesis used in [5] which says that the same 'last hop' AS is used by packets from the same source AS prior to entering the destination AS. This is a reasonable extension based on the fact that traffic routes within an AS change infrequently.…”

Section: Spoofed Source Ddos Attack Detectionmentioning

confidence: 95%

“…Techniques such as [4] and [5] rely on historical observations of IP addresses to identify spoofed traffic. Since our technique maps the IP addresses to AS numbers, we are able to classify as legitimate or spoofed, traffic with IP addresses that have never been observed before, as long as some traffic from the same origin AS has been observed.…”

Section: Spoofed Source Ddos Attack Detectionmentioning

confidence: 99%

“…It stores network profiling information in terms of BGP AS (Autonomous System) numbers rather than network IP addresses. This allows for both concise data representation as well as the ability to draw inferences about IP traffic from previously unobserved sources, thus mitigating a major drawback of [5].…”

Section: Introductionmentioning

confidence: 98%

“…The InFilter scheme discussed in [5] addresses some of the shortcomings of [4]. It presents a predictive filtering approach that makes use of an "InFilter" hypothesis to detect spoofed source IP addresses in traffic near its destination.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

On the use of BGP AS numbers to detect spoofing

Vaidyanathan¹,

Ghosh²,

Yamada

et al. 2010

2010 IEEE Globecom Workshops

View full text Add to dashboard Cite

Spoofed IP traffic (traffic containing packets with incorrect source IP addresses) is often used by Internet-based attackers for anonymity. This method reduces the risk of traceback and avoids attack detection by traffic-based sensors. An ISP's Security Operations Center (SOC) needs an efficient spoofed source detection mechanism to protect its customers from network based attacks. Typically an SOC needs to offer such protection under the following operational constraints: a) Limited traffic monitoring points within the network core rather than at the edge, owing to the performance cost associated with incorporating monitoring b) Limited information on network topology and routing paths c) Very high data rates d) Sampled traffic data and e) Limited storage and processing capabilities for analysis. This paper describes an approach for spoofed source detection intended for an operational ISP network under the above constraints. The approach relies on the creation of concise source BGP AS (Autonomous System) profiles for each available monitoring point in the network. Profiles are constructed by observing recent historical monitoring data; each constructed profile is then used to detect spoofed traffic in real-time. An AS based network profile is advantageous compared to an IP address based profile due to (a) the relative conciseness of the former and (b) the ability to make inferences about network source IP addresses not observed during training or profiling periods. A preliminary evaluation of AS based profiles was performed using real time traffic observed in an enterprise network. The evaluation focus was on profile size and profile convergence time.

show abstract

Section: Spoofed Source Ddos Attack Detectionmentioning

confidence: 95%

Section: Spoofed Source Ddos Attack Detectionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 98%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations