VASE: Filtering IP spoofing traffic with agility
2012; Elsevier BV; Volume: 57; Issue: 1 Linguagem: Inglês
10.1016/j.comnet.2012.08.018
ISSN1872-7069
AutoresGuang Yao, Jun Bi, Peiyao Xiao,
Tópico(s)Network Packet Processing and Optimization
ResumoFiltering out traffic with forged source address on routers can significantly improve the security of Internet. However, despite intermittent IP spoofing attacks, existing filtering mechanisms inspect each packet all the time, consuming considerable resource on routers even there is no spoofing at all. This article considers the requirement for a solution performing IP spoofing filtering with agility, which consumes resource in proportional to the size of attack. A novel IP spoofing filtering mechanism named Virtual Anti-Spoofing Edge (VASE) is proposed in this article. VASE uses sampling and on-demand filter configuration to reduce unnecessary overhead in peace time. The evaluation based on simulation shows VASE has obvious advantages over commonly used mechanisms in various scenarios. VASE is fully compatible with current IP spoofing filtering practices and can be implemented with commodity routers. In the campus network of Tsinghua University, VASE is providing real benefits.
Referência(s)