Router-based spoofing defense methods generally take a different approach
from host-based mechanisms. Although in principle most host-based methods
could also be used by routers, researchers generally only consider a few, such
as IPsec or IP puzzles, for use at the router level. Other host-based methods
generally require too much overhead that would impact router performance.
Router-based defense mechanisms are all similar in that they perform
some sort of filtering to prevent spoofing packets from reaching their intended
destinations. The various mechanisms’ differences lie in what information
they use to decide whether a packet contains a spoofed source address,
and where in the network the filtering takes place. We will discuss more
basic, traditional mechanisms along with state-of-the-art distributed filtering
solutions.