We then inspect and compare various IP spoofing defense solutions. Our goal
is to provide a comprehensive study of the state-of-the-art, and meanwhile analyze
what obstacles stand in the way of deploying those modern solutions and
what areas require further research. We will compare spoofing defense mechanisms
in terms of three features: identifying spoofing packets, mitigating spoofing
attacks, and pinpointing an attacker’s real location. Note that identifying
spoofing packets and mitigating a spoofing attack are not equal. For example,
with a bandwidth-based denial-of-service attack, even if we are able to identify
spoofing packets, we cannot mitigate an attack they cause if the identification
is done at or close to the victim. Furthermore, identifying and mitigating an
attack does not mean we can identify the actual attacker. Without being able
to locate an attacker, there is no deterrent for attackers; their attacks may
be stopped, but as long as they can continue to attack in anonymity there is
no risk to themselves or their resources. Not all spoofing defense mechanisms
implement all three features, and those that do may have implementations of
varying effectiveness.