We then inspect and compare various IP spoofing defense solutions. Our goal
is to provide a comprehensive study of the state-of-the-art, and meanwhile analyze
what obstacles stand in the way of deploying those modern solutions and
what areas require further research. We will compare spoofing defense mechanisms
in terms of three features: identifying spoofing packets, mitigating spoofing
attacks, and pinpointing an attacker’s real location. Note that identifying
spoofing packets and mitigating a spoofing attack are not equal. For example,
with a bandwidth-based denial-of-service attack, even if we are able to identify
spoofing packets, we cannot mitigate an attack they cause if the identification
is done at or close to the victim. Furthermore, identifying and mitigating an
attack does not mean we can identify the actual attacker. Without being able
to locate an attacker, there is no deterrent for attackers; their attacks may
be stopped, but as long as they can continue to attack in anonymity there is
no risk to themselves or their resources. Not all spoofing defense mechanisms
implement all three features, and those that do may have implementations of
varying effectiveness.
Spoofing defense mechanisms should also maintain a set of desired properties.
They cannot rely on traffic characteristics that attackers can easily manipulate
and spoof the correct values. They should also be easy to deploy, and
preferably independent of routing protocols in order to ensure deployability
across all current and future intra-AS and inter-AS networks. And finally, of
course, an ideal defense mechanism must incur low overhead so as not to affect
network performance.
Note that this article looks into IP spoofing and not IP prefix hijacking. Although
they both involve attackers pretending to have a false identity, the
problems are inherently unique. When an attacker successfully hijacks a prefix,
hijacked IP addresses will be effectively co-owned by both the attacker and the
legitimate owner; although some packets toward the hijacked IP addresses may
still reach the legitimate owner, many packets will reach the attacker. When an
attacker uses IP spoofing, however, the spoofed source addresses are entirely
ACM Transactions on Internet Technology, Vol. 9, No. 2, Article 6, Publication date: May 2009.
On the State of IP Spoofing Defense • 6:3
out of the attacker’s control. Many of the IP spoofing defense mechanisms assume
that attackers cannot receive responses, and would not be effective in
defending against attackers that employ IP prefix hijacking. Prefix hijacking
is an important network security problem, but it requires solutions different
from those for IP spoofing.
The remainder of this article is organized as follows. In Section 2 we discuss
why IP spoofing is still a serious problem today. Then in Section 3 we categorize
the spoofing defense mechanisms from a high level. Sections 4, 5, and 6 describe
the defense mechanisms in detail, focusing on host-based ones, router-based
ones, and their combination, respectively. In Section 7 we analyze the pros
and cons of all these defense mechanisms, addressing their capabilities and
characteristics as well as overhead. We conclude our survey with a discussion