期刊名称:International Journal of Computer Science and Network Security
印刷版ISSN:1738-7906
出版年度:2009
卷号:9
期号:5
页码:71-76
出版社:International Journal of Computer Science and Network Security
摘要:IP spoofing remains a popular method to launch Distributed Denial of Service (DDOS) attacks. Several mitigation schemes have been proposed in literature to detect forged source IP addresses. Some of these solutions, like the inter domain packet filter (IDPF), construct filters based on implicit information contained in BGP route updates. The packet filters rely on the fact that BGP updates are valid and reliable. This assumption is unfortunately not true in the context of the Internet. In addition, attackers can combine control and data plane attacks to avoid detection. In this paper, we evaluate the impact of false and bogus BGP updates on the performance of packet filters. We introduce a new and easy to deploy extension to the standard BGP selection algorithm in order to detect spoofed BGP updates. The new proposal, credible BGP (CBGP), assigns credibility scores for AS prefix origination and AS path. These credibility scores are used in an extended selection algorithm to prefer valid BGP routes. Based on simulation studies, we prove that the proposed algorithm improves significantly the performance of packet filters based on BGP updates.
Loading...
