Hop-Count Filtering: An Effective Defense Against Spoofed Traffic


IP spoofing has been exploited by Distributed Denial of Service (DDoS) attackers to (1) conceal flooding sources and localities of flooding traffic, and (2) coax uncompromised hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near victims is essential to their own protection as well as to their avoidance of becoming involuntary DoS reflectors. Although an attacker can forge any field in the IP header, he cannot falsify the number of hops an IP packet takes to reach its destination. This hop-count information can be inferred from the Time-to-Live (TTL) value in the IP header. Based on this observation, we propose a novel filtering technique for Internet servers to winnow away spoofed IP packets. By clustering address prefixes based on hop-counts, Hop-Count Filtering (HCF) builds an accurate IP to hop-count (IP2HC) mapping table to detect and discard spoofed IP packets. Through analysis using network measurement data, we show that HCF can identify and then discard close to 90% of spoofed IP packets with little collateral damage. We implement and evaluate the HCF in the Linux kernel, demonstrating its benefits with experimental measurements.

Extracted Key Phrases

19 Figures and Tables


Citations per Year

134 Citations

Semantic Scholar estimates that this publication has 134 citations based on the available data.

See our FAQ for additional information.

Cite this paper

@inproceedings{Jin2003HopCountFA, title={Hop-Count Filtering: An Effective Defense Against Spoofed Traffic}, author={Cheng Jin and Haining Wang and Kang G. Shin}, year={2003} }