Peter Reiher UCLA
CT-ISG: Collaborative Research: Enabling Routers to Detect and Filter Spoofed Traffic
IP spoofing exacerbates many security threats.If spoofing were eliminated or sufficiently reduced, defenses against DDoS, distributed scanning and intrusions would be much simplified and more effective. Of particular interest are spoofing defenses that will be both practical (cheap to deploy and operate) and effective (provide significant benefit in sparse deployment. This project develops two such defense mechanisms: (1) Clouseau, which enables routers on asymmetric paths to accurately infer associations between the route descriptor and the source address. It will support multiple associations (in case of multipath routing) and will promptly update associations when routes change. Clouseau will be integrated with two very effective spoofing defenses: route-based filtering and hop-count filtering, and will protect deploying networks from spoofed traffic. (2) RAD, which helps networks protect themselves from reflector attacks.
Clouseau and RAD will operate completely autonomously. Deployment of Clouseau at as few as 50 chosen Internet autonomous systems, together with RBF or HCF, will reduce amount of spoofed traffic on the Internet to less than 3%. In isolated deployment, Clouseau with RBF or HCF will reduce spoofed traffic received by the deploying network to less than 3%. RAD system will offer a significant protection from reflector attacks in isolated deployment and an almost perfect protection when RAD is deployed in the Internet core.
This research is leading to a significant reduction of spoofed traffic in the Internet. All code will be released to the public, and graduate and undergraduate students will receive valuable training from participation in this project.
