Elsevier

Computer Communications

Volume 64, 15 June 2015, Pages 1-20
Computer Communications

An incrementally deployable anti-spoofing mechanism for software-defined networks

https://doi.org/10.1016/j.comcom.2015.03.003Get rights and content

Abstract

Internet attacks often use IP spoofing to forge the source IP address of packets, and thereby hide the identity of the source. It causes many serious security problems such as the difficulty of packet authenticity and IP traceback. While many IP spoofing prevention techniques have been proposed apart from ingress filtering, none have achieved widespread real-world use. One main reason is the lack of properties favoring incremental deployment, an essential component for new technology adoption. An incrementally deployable protocol should have three properties: initial benefits for early adopters, incremental benefits for subsequent adopters, and effectiveness under partial deployment. Since no previous anti-spoofing solution satisfies all three properties, we propose an anti-spoofing mechanism called “BGP-based Anti-Spoofing Extension” (BASE). BASE is an anti-spoofing protocol designed to fulfill the incremental deployment properties. Furthermore, BASE is designed to work in the software-defined networks (SDN). It gives a motivation to network operators to adopt BASE into their network, since the idea of SDN supports the large scale network control with a simple operation. Based on simulations using a model of Internet connectivity, BASE shows desirable IP spoofing prevention capabilities under partial deployment. We find that just 30% deployment can drop about 97% of attack packets. It is shown that BASE not only provides benefits to early adopters, but also outperforms previous anti-spoofing mechanisms.

Introduction

IP spoofing, i.e., forging a packet’s source IP address, remains an unsolved security problem in today’s Internet [1], [2], [3]. These forgeries assist attackers to enable anonymity, indirection, and amplification exploits [1], such as circumventing source-based filtering and mounting denial-of-service (DoS). Most notably, an attacker may employ IP spoofing to congest a server’s resources via a TCP SYN flood [4]. Backscatter traffic analysis infers that several hundred DDoS attacks employing spoofing occur daily [5]. On February 2014, a massive DDoS attack reached 400 gigabits per second in power hit EU and US-based servers, and the attack uses IP spoofing to leverage the exploits on the Network Time Protocol (NTP). The so-called NTP reflection attack shows that the IP spoofing is still a significant problem in todays Internet [6].

Contemporary attacks forgo IP spoofing and instead use enormous botnets to mask the perpetrator’s source address during a DDoS attack. In addition to the prevalence of non-spoofed DDoS attacks, broad deployment of ingress filtering, e.g., 80% of ASes participating in MIT Spoofer project are non-spoofable [7], induces the misconception that spoofing is not an open problem. However, 20% of networks suffice to generate spoofed traffic towards any target [3]. Consequently, ingress filtering is insufficient unless it is fully deployed [8] because it only filters outgoing packets so that it benefits to another side of network instead of the side that adopts ingress filtering. Furthermore, the diversity of new exploits give enough motivation to continue spoofing-based attacks [1], [9], which include DNS amplifier attacks, TCP reset attacks, spam filter circumvention, network scans, and DNS poisoning. Recently, Qian and Mao also found a new exploit using IP spoofing, which leverages the predictability of TCP sequence numbers on firewall middleboxes, enabling off-path TCP attacks [10]. For many years, several anti-spoofing solutions have been suggested but none achieves wide-spread deployment.

In “Crossing the Chasm”, Moore notes that customers for a technological innovation range from early adopters, to the early majority, to the late majority, and finally to laggards [11]. A central difference in the deployment of networking protocols is the availability of hardware and software that implements the protocols. Although the market for Internet technology differs from a mainstream product, we can still draw a partial analogy. We conjecture that the deployment of networking protocols follows a similar trend: early adopters with a critical need for some new technology start to use the technology to their network. As the larger network operators recognize the necessity of the technology and observe customer demand, they also implement the feature. This causes the early mainstream network operators to deploy it. Finally, some network operators may not update their network frequently and thus they require a longer time until they implement the functionality. In terms of incremental deployability, a viable protocol needs to have three properties: initial benefits for the early adopters, incremental benefits for the early majority, and effectiveness under partial deployment.

  • Initial benefit: The protocol needs to provide initial benefits for early adopters. Ideally, the initial deployments already provide a benefit.

  • Incremental benefit: The protocol needs to provide incremental benefits for the early majority. Such benefits should increase as deployment proceeds.

  • Partial deployment: The protocol needs to provide properties such that a proportionally small deployment becomes sufficiently effective. Broad deployment requires a prolonged period; thus, a practical protocol approaches full strength when approximately 30–50% of routers deploy the mechanism. This requires about 10% of larger ASes.

An anti-spoofing protocol needs to be not only technically sound but also economically acceptable. Unfortunately, currently proposed IP spoofing prevention mechanisms are inadequate, especially in the dimension of providing incentives for deployers.

In order to satisfy above three properties for a viable protocol, we propose a new mechanism called “BGP-based Anti-Spoofing Extension” (BASE). BASE is designed with a consideration for implementation on software-defined networks (SDN). SDN provides a logically centralized and programable controller to manage the entire network by separating control plane and data plane. With the separation of the control plane and the data plane, the network control is moved to a logically centralized controller in the control plane, and network devices in the data plane become simple packet forwarding devices. SDN enables network operators to more flexibly program and control their networks, while the traditional network is rigid in terms of network dynamics. Driven by this, SDN emerged as an innovative network architecture, and it is becoming a reality on modern Internet. BASE can be easily adopted and deployed to the real network through the growth of SDN environments.

BASE consists of four phases: distribution of marking values, filter invocation, packet marking and filtering, and filter revocation. Valid marking values are distributed among BASE routers1 using BGP update messages. The marking values for each BASE router computed by SDN controllers with cryptographic hash chains. Under the occurrence of a spoofing attack, a controller in a victim network sends invocation messages to SDN controllers in other SDN ASes, and the controllers which receive the invocation messages initiate packet marking and filtering for each BASE router under control. Communication among BASE entities can be performed using optional transitive attributes in BGP [12], which enables to deliver messages under partial deployment. Then, only legitimate traffic traveling a valid path can have a correct mark but spoofed packets have incorrect marking values so that they are dropped by an intermediate BASE router. Furthermore, the capability of invoking the filtering network of BASE routers can be given to the BASE deployers, which becomes the direct benefit when adopting BASE in their network.

One filtering scheme that shows incremental deployability is route-based distributed packet filtering (DPF) [8]. DPF can drop spoofed packets traveling unexpected routes from specified source addresses. Filtering quality increases according to the degree of deployment. However, it does not give direct benefit to the adopters but everyone shares the benefit of filtering spoofed packets, which discourages deployment of DPF.

In experiments, BASE was implemented on virtual OpenFlow networks using Mininet [13], OpenvSwitch [14] and POX [15], in order to verify the correct operations of BASE. The power for filtering spoofed packets rises substantially as the number of deploying entities increases. With only about 30% of ASes deploying the mechanism, we can filter about 97% of attack packets. We show that BASE outperforms previously proposed schemes in terms of filtering spoofed packets while satisfying the incrementally deployable properties.

The contributions of this work can be summarized as follows:

  • BASE is the first work considering the incrementally deployable properties by giving a visible benefit to early adopters.

  • BASE provides on-demand filtering, thus it reduces unnecessary overhead while keeping enough security.

  • BASE is implemented on a popular SDN open-source project with only using standard OpenFlow APIs.

  • BASE shows that IP spoofing attacks can be effectively filtered with limited deployment.

The rest of this paper is organized as follows. Section 2 describes the background of SDN and the fundamental techniques of our work. Then, we give a detailed description of BASE in Section 3 and security analysis in Section 4. Section 5 outlines the experimental settings and results. In Section 6, we discuss several issues which arise when BASE is performed in a real network. Section 7 describes related work, and finally we conclude this paper with remained challenges in Section 8.

Section snippets

Background

To better understand the BASE mechanism, we introduce the historical background, basic architecture, and application fields of SDN. Moreover, the fundamental techniques we applied to the BASE mechanism will be described in detail.

The BASE mechanism

This section proposes a new mechanism called “BGP-based Anti-Spoofing Extension” (BASE), which combines the features of Pi [48] and DPF [8]. BASE functions as an anti-spoofing solution by performing per-packet deterministic packet marking (Pi feature) with overloading a routing protocol BGP (DPF feature) to propagate marking information. In addition to using the features of Pi and DPF, BASE further enables the three deployment properties. In BASE, path-based marking enables in-network filtering

Circumventing BASE routers

The first measure of the effectiveness of an anti-spoofing mechanism is the proportion of spoofed packets that are dropped prior to arriving at a victim’s location. We consider a network with partial deployment as shown in Fig. 15.

In the case of ingress filtering [60], an attacker can mount an attack with spoofed packet (s,t) at 5 locations (v1,,v5). In the case of DPF [41], only 3 locations (v1,,v3) are available to an attacker for mounting a spoofing attack. The attacker at the locations (v1

Evaluation

To evaluate the performance of BASE, two level experiments were performed: high level simulation on an Internet-scale topology for filtering performance estimation and low level simulation on SDN for BASE function estimation.

In the first experiment, an Internet-scale simulation was conducted for a performance estimation with different anti-spoofing mechanisms. We compared filtering performance of BASE with three different well-known filtering schemes according to filter placement strategy and

Adopter’s benefit

Ingress filtering and DPF are more powerful when deployed near the attacking location, but less effective near the victim. Therefore, ISPs who can become potential victims do not feel motivated for adopting ingress filtering and DPF. Only Pi gives an obvious benefit to a victim for defending against spoofing attacks. Nevertheless, Pi still has significant weaknesses—the full benefit of Pi occurs only after large-scale deployment. Therefore, Pi cannot be an immediate solution for a victim of

Related work

Researchers have followed two main directions in the investigation of techniques to mitigate spoofed source IP addresses: IP traceback and detection of spoofed packets. The goal of IP traceback is to find the true origin(s) of attack packets. One of IP traceback mechanisms is packet marking which can be either deterministic [81], [52], [54] or probabilistic [41], [44], [47], [53]. However, IP traceback has several drawbacks. For example, spoofed packets can destroy a victim’s network before

Conclusions

The BASE mechanism is suggested to fulfill the incremental deployment properties that are essential for adoption in current Internet environments. Along with distributed filtering, cryptographic packet marking, and on-demand filtering for the destination addresses of the victim’s network, the protective power is enhanced as BASE filters are distributed gradually. The BASE mechanism offers strong incremental deployment benefits over existing solutions because.

BASE is a promising approach for

Acknowledgments

We are grateful to Damon Smith and Jihoon Son for conducting the simulations and Geoffrey Hasker for valuable discussions. A preliminary version of this paper appeared in ACM Symp. on Information, Computer and Communication Security 2007 [88].

References (88)

  • G. Yao et al.

    Vase: filtering IP spoofing traffic with agility

    Comput. Netw.

    (2013)
  • A. Belenky et al.

    On deterministic packet marking

    Comput. Netw.

    (2007)
  • R. Beverly, A. Berger, Y. Hyun, K. Claffy, Understanding the efficacy of deployed internet source address validation...
  • T. Ehrenkranz et al.

    On the state of IP spoofing defense

    ACM Trans. Internet Technol.

    (2009)
  • J. Mirkovic et al.

    Comparative evaluation of spoofing defenses

    IEEE Trans. Defendable Secure Comput.

    (2011)
  • CERT, TCP SYN Flooding and IP Spoofing Attacks, Advisory CA-96.21, September...
  • D. Moore et al.

    Inferring internet denial-of-service activity

    ACM Trans. Comput. Syst. (TOCS).

    (2006)
  • ICS-CERT, NTP Reflection Attack, Advisory (ICSA-14-051-04), February 2014....
  • A.N.A. Group, MIT ANA Spoofer Project, October 2011....
  • K. Park, H. Lee, On the effectiveness of route-based packet filtering for distributed DoS attack prevention in...
  • Y. Gilad et al.

    LOT: a defense against IP spoofing and flooding attacks

    ACM Trans. Inform. Syst. Secur.

    (2012)
  • Z. Qian, Z.M. Mao, Off-path TCP sequence number inference attack – how firewall middleboxes reduce security, in:...
  • G.A. Moore

    Crossing the Chasm: Marketing and Selling High-Tech Products to Mainstream Customers

    (1995)
  • Y. Rekhter, T. Li, S. Hares, A Border Gateway Protocol 4 (BGP-4), RFC 4271, January...
  • B. Lantz, B. Heller, N. McKeown, A network in a laptop: rapid prototyping for software-defined networks, in:...
  • OpenvSwitch, An Open Virtual Switch....
  • POX, Python-based NOX....
  • O.M.E. Committee et al., Software-defined Networking: The New Norm for Networks, ONF White Paper, Open Networking...
  • S. Sezer, S. Scott-Hayward, P.K. Chouhan, B. Fraser, D. Lake, J. Finnegan, N. Viljoen, M. Miller, N. Rao, Are we ready...
  • J.E. van der Merwe et al.

    The tempest-a practical framework for network programmability

    IEEE Netw.

    (1998)
  • N. Feamster, H. Balakrishnan, J. Rexford, A. Shaikh, J. Van Der Merwe, The case for separating routing from routers,...
  • H. Yan, D.A. Maltz. T.S. Eugene Ng, H. Gogineni, H. Zhang, Z. Cai. Tesseract: A 4D Network Control Plane. NSDI, vol. 7,...
  • M. Casado et al.

    Ethane: taking control of the enterprise

    ACM SIGCOMM Comput. Commun. Rev.

    (2007)
  • N. McKeown et al.

    OpenFlow: enabling innovation in campus networks

    ACM SIGCOMM Comput. Commun. Rev.

    (2008)
  • H. Kim et al.

    Improving network management with software defined networking

    IEEE Commun. Mag.

    (2013)
  • G. Gibb et al.

    Outsourcing network functionality

  • S. Scott-Hayward, G. O’Callaghan, S. Sezer, SDN security: a survey, in: IEEE SDN for Future Networks and Services...
  • R. Braga, E. Mota, A. Passito, Lightweight DDoS flooding attack setection using NOX/OpenFlow, in: IEEE 35th Conference...
  • S. Lim, J. Ha, H. Kim, Y. Kim, S. Yang, A SDN-oriented DDoS blocking scheme for botnet-based attacks, in: Sixth...
  • M. Shtern, R. Sandel, M. Litoiu, C. Bachalo, V. Theodorou, Towards mitigation of low and slow application DDoS attacks,...
  • S.A. Mehdi et al.

    Revisiting traffic anomaly detection using software defined networking

  • N. Gude et al.

    NOX: towards an operating system for networks

    ACM SIGCOMM Comput. Commun. Rev.

    (2008)
  • J.H. Jafarian et al.

    Openflow random host mutation: transparent moving target defense using software defined networking

  • S. Shin, G. Gu, Cloudwatcher: network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide...
  • R. Skowyra, S. Bahargam, A. Bestavros, Software-defined IDS for securing embedded mobile devices, in: High Performance...
  • H. Hu et al.

    Flowguard: building robust firewalls for software-defined networks

  • Z.A. Qazi, C.-C. Tu, L. Chiang, R. Miao, V. Sekar, M. Yu, Simple-fying middlebox policy enforcement using SDN, in:...
  • B. Zhang, J. Bi, T. Feng, P. Xiao, D. Zhou, Performing software defined route-based IP spoofing filtering with SEFA,...
  • T. Feng, J. Bi, H. Hu, G. Yao, P. Xiao, InSAVO: intra-AS IP source address validation solution with openrouter, in:...
  • Z. Duan, X. Yuan, J. Chandrashekar, Constructing inter-domain packet filters to control IP spoofing based on BGP...
  • G. Yao, J. Bi, P. Xiao, Source address validation solution with OpenFlow/NOX architecture, in: 19th IEEE International...
  • K. Park, H. Lee, On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack,...
  • O. Goldreich et al.

    How to construct random functions

    J. ACM. (JACM)

    (1986)
  • J. Postel, Internet Protocol, RFC 791, September...
  • Cited by (0)

    View full text