{"title":"SDN可行路径反向转发过滤源欺骗IP流量","authors":"Kevin Benton, L. Camp, T. Kelley, M. Swany","doi":"10.17706/IJCCE.2016.5.6.441-454","DOIUrl":null,"url":null,"abstract":"Source IP address spoofing is still a significant problem on today’s Internet. Recent DDoS attacks, which combined source IP spoofing and amplifying UDP services, have resulted in attack traffic volumes exceeding hundreds of gigabits per second. In this work we argue that the ingress packet filtering solutions proposed in BCP 38 more than 13 years ago have failed to solve the issue due to fundamental incentive misalignment. We present an SDN implementation of feasible path reverse path forwarding which tier 2 ISPs could implement using OpenFlow switches at peering points with no impact to the performance of their routers. We show how an SDN solution can handle error cases more gracefully than current reverse path forwarding implementations. We illustrate that this proposal is well-aligned with the economic incentives of the adopting parties and furthermore does not require ubiquitous adoption to create network-wide immunity. We describe our open code implementation on OpenFlow. Finally, we discuss the limitations of this filtering approach.","PeriodicalId":23787,"journal":{"name":"World Academy of Science, Engineering and Technology, International Journal of Electrical, Computer, Energetic, Electronic and Communication Engineering","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2016-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Filtering Source-Spoofed IP Traffic Using Feasible Path Reverse Path Forwarding with SDN\",\"authors\":\"Kevin Benton, L. Camp, T. Kelley, M. Swany\",\"doi\":\"10.17706/IJCCE.2016.5.6.441-454\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Source IP address spoofing is still a significant problem on today’s Internet. Recent DDoS attacks, which combined source IP spoofing and amplifying UDP services, have resulted in attack traffic volumes exceeding hundreds of gigabits per second. In this work we argue that the ingress packet filtering solutions proposed in BCP 38 more than 13 years ago have failed to solve the issue due to fundamental incentive misalignment. We present an SDN implementation of feasible path reverse path forwarding which tier 2 ISPs could implement using OpenFlow switches at peering points with no impact to the performance of their routers. We show how an SDN solution can handle error cases more gracefully than current reverse path forwarding implementations. We illustrate that this proposal is well-aligned with the economic incentives of the adopting parties and furthermore does not require ubiquitous adoption to create network-wide immunity. We describe our open code implementation on OpenFlow. Finally, we discuss the limitations of this filtering approach.\",\"PeriodicalId\":23787,\"journal\":{\"name\":\"World Academy of Science, Engineering and Technology, International Journal of Electrical, Computer, Energetic, Electronic and Communication Engineering\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-01-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"World Academy of Science, Engineering and Technology, International Journal of Electrical, Computer, Energetic, Electronic and Communication Engineering\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.17706/IJCCE.2016.5.6.441-454\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"World Academy of Science, Engineering and Technology, International Journal of Electrical, Computer, Energetic, Electronic and Communication Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.17706/IJCCE.2016.5.6.441-454","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Filtering Source-Spoofed IP Traffic Using Feasible Path Reverse Path Forwarding with SDN
Source IP address spoofing is still a significant problem on today’s Internet. Recent DDoS attacks, which combined source IP spoofing and amplifying UDP services, have resulted in attack traffic volumes exceeding hundreds of gigabits per second. In this work we argue that the ingress packet filtering solutions proposed in BCP 38 more than 13 years ago have failed to solve the issue due to fundamental incentive misalignment. We present an SDN implementation of feasible path reverse path forwarding which tier 2 ISPs could implement using OpenFlow switches at peering points with no impact to the performance of their routers. We show how an SDN solution can handle error cases more gracefully than current reverse path forwarding implementations. We illustrate that this proposal is well-aligned with the economic incentives of the adopting parties and furthermore does not require ubiquitous adoption to create network-wide immunity. We describe our open code implementation on OpenFlow. Finally, we discuss the limitations of this filtering approach.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
