• Corpus ID: 62703797

Mitigating IP Spoofing by Validating BGP Routes Updates

  title={Mitigating IP Spoofing by Validating BGP Routes Updates},
  author={Junaid Israr and Mouhcine Guennoun and Hussein T. Mouftah},
Summary IP spoofing remains a popular method to launch Distributed Denial of Service (DDOS) attacks. Several mitigation schemes have been proposed in literature to detect forged source IP addresses. Some of these solutions, like the inter domain packet filter (IDPF), construct filters based on implicit information contained in BGP route updates. The packet filters rely on the fact that BGP updates are valid and reliable. This assumption is unfortunately not true in the context of the Internet… 

Figures from this paper

Design of lightweight alternatives to secure border gateway protocol and mitigate against control and data plane attacks

Two novel lightweight security protocols are presented, called Credible BGP (C-BGP) and Hybrid Cryptosystem BGP, which rely on security mechanisms in S-B GP but are designed to address signature verification overhead and deployment challenges associated with S- BGP.


The proposed route reliability ranking (RRR) algorithm is used to authenticate the validation of a routing update based on the common facts of the autonomous systems (AS’s) in the network.

Inter-Domain Routing Validator Based Spoofing Defence System

  • Lei WangT. XiaJ. Seberry
  • Computer Science
    2010 IEEE International Conference on Intelligence and Security Informatics
  • 2010
A new system called Inter-Domain Routing Validator Based Spoofing Defence System (SDS) for filtering spoofed IP packets is proposed, which uses efficient symmetric key message authentication code (UMAC) as its tag to verify that a source IP address is valid.

Enhanced EDoS-Shield for Mitigating EDoS Attacks Originating from Spoofed IP Addresses

  • F. Al-HaidariM. SqalliK. Salah
  • Computer Science
    2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications
  • 2012
This paper advocates a novel solution as an enhancement to prior work, namely EDoS-Shield, to mitigate the EDoS attacks originating from spoofed IP addresses and designs a discrete event simulation experiment to evaluate its performance and results show that it is a promising solution.

A deployable IP spoofing defence system

The work in this thesis is to offer an authentic source identifier which may be employed by a network for IP spoofing packets, and an original model together with an examination of a Spoofing Defence System in an Autonomous System (AS) level designed for filtering the spoofed IP packets.

Detection of Invalid BGP Routes

  • Hongjun WangWanping Hao
  • Computer Science, Business
    2010 6th International Conference on Wireless Communications Networking and Mobile Computing (WiCOM)
  • 2010
This proposed method finds the invalid AS path in the BGP routes according to the commercial relationship between autonomous systems (ASes) according toThe proposed method discovers invalid prefixes through checking the allocation record and the ownership of the prefixes of inbound routes and outbound routes.

Amplification and DRDoS Attack Defense - A Survey and New Perspectives

This work acts as an introduction into amplification attacks and source IP address spoofing and a survey on the state of the art in spoofing defenses is presented.

EDoS-Shield - A Two-Steps Mitigation Technique against EDoS Attacks in Cloud Computing

This paper advocates a novel solution, named EDoS-Shield, to mitigate the Economic Denial of Sustainability (EDoS) attack in the cloud computing systems and designs a discrete simulation experiment to evaluate its performance and shows that it is a promising solution to mitigateThe EDoS.

Access control for network management

The detailed threat model assumes physical compromise of devices, along with associated attacks that can be done by having physical access, and assumes the communication channels connecting an unsecured switch to be insecure.



Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates

It is shown that, even with partial deployment on the Internet, IDPFs can proactively limit the spoofing capability of attackers and can help localize the origin of an attack packet to a small number of candidate networks.

Improving TCP's Robustness to Blind In-Window Attacks

This document specifies small modifications to the way TCP handles inbound segments that can reduce the chances of a successful attack.

Practical network support for IP traceback

A general purpose traceback mechanism based on probabilistic packet marking in the network that allows a victim to identify the network path(s) traversed by attack traffic without requiring interactive operational support from Internet Service Providers (ISPs).

On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets

This paper describes and evaluates route-based distributed packet filtering (DPF), a novel approach to distributed DoS (DDoS) attack prevention, and shows that DPF achieves proactiveness and scalability, and there is an intimate relationship between the effectiveness of DPF at mitigating DDoS attack and power-law network topology.

An analysis of using reflectors for distributed denial-of-service attacks

This paper argues in conclusion in support of "reverse ITRACE" [Ba00] and for the utility of packet traceback techniques that work even for low volume flows, such as SPIE.

Hash-based IP traceback

This work presents a hash-based technique for IP traceback that generates audit trails for traffic within the network, and can trace the origin of a single IP packet delivered by the network in the recent past and is implementable in current or next-generation routing hardware.

Inferring Internet denial-of-service activity

This article presents a new technique, called “backscatter analysis,” that provides a conservative estimate of worldwide denial-of-service activity, and believes it is the first to provide quantitative estimates of Internet-wide denial- of- service activity.

Dns cache poisoning-the next generation

New attacks, which make DNS cache poisoning trivial to execute against a large number of nameservers running today, are shed light on and ways to defend against them are recommended.

A Border Gateway Protocol 4 (BGP-4)

This document, together with its companion document, "Application of the Border Gateway Protocol in the Internet", define an inter- autonomous system routing protocol for the Internet.