Defending of IP Spoofing by Ingress Filter in Extended-Inter Domain Packet Key Marking System

Full Text (PDF, 263KB), PP.47-54

Views: 0 Downloads: 0


G.Velmayil 1,* S.Pannirselvam 1

1. Dept. of Computer Science, Department of Computer Science Quaid-E-Milleth Govt. college for Women (A), Erode Arts & Science College (A) Tamilnadu, India

* Corresponding author.


Received: 1 Jul. 2012 / Revised: 3 Oct. 2012 / Accepted: 25 Dec. 2012 / Published: 8 Apr. 2013

Index Terms

DDOS, IP spoofing, BGP, Ingress Filtering


The significance of the DDoS problem and the increased occurrence and strength of attacks has led to the dawn of numerous prevention mechanisms. IP spoofing is most frequently used in denial-of-service attacks. In such attacks, the goal is to flood the victim with overwhelming amounts of traffic, and the attacker does not care about receiving responses to the attack packets. IP spoofing is one of the basic weaknesses in the Internet Protocol to launch the DDOS attack. Each prevention mechanism has some unique advantages and disadvantages over the others. The existing methods become ineffective due to a large number of filters required and they lack in information about where to place the filter. We propose Ingress filter in Extended Inter Domain Packet Key marking system .This paper comprises of two functional blocks namely, Key marking system and filtering blocks. In the marking block, each source is labeled with a key. The key is changed continuously for a certain period of time to provide secured system and is validated at border routers. In the filtering block, spoofed packets are filtered at the border router using Ingress filter to filter beyond periphery routers. The filter placement algorithm clearly put forwards the conditions under which the filter can operate accurately. The accuracy of the proposed systems is validated using Network Simulator (NS-2).

Cite This Paper

G.Velmayil, S.Pannirselvam, "Defending of IP Spoofing by Ingress Filter in Extended-Inter Domain Packet Key Marking System", International Journal of Computer Network and Information Security(IJCNIS), vol.5, no.5, pp.47-54, 2013. DOI:10.5815/ijcnis.2013.05.06


[1]David Moore, Geoffrey Voelker, and Stefan Savage "Inferring Internet denial of service activity" in Proceedings of the USENIX Security Symposium, Washington, DC, USA, USENIX August 2001
[2]S.M. Bellovin. "Security Problems in the TCP/IP Protocol Suite" Computer Communication Review, Volume 19, Issue- 2, pp. 32-48, 1989.
[3]L. Todd Heberlein, Matt Bishop. "Attack Class: Address Spoofing", Proceedings of the 19th National Information Systems Security Conference, pp: 371-377, 1996.
[4]V. Paxson.," An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks", ACM SIGCOMM Computer Communications Review, Volume 31, Isssue 3, pp 38-47, 2001.
[5]Kihong Park and Heejo Lee. "On the effectiveness of Route based packet filtering for distributed DoS attack prevention in power-law internets". In Proceedings of the ACM , SIGCOMM, August 2001.
[6]Supranamaya Ranjan, Ram Swaminathan , Mustafa Uysal,Antonio Nucci, and Edward Knightly. "DDoS-Shield: DDoS-Resilient Scheduling to Counter Application Layer Attacks", IEEE/ACM Transactions on Networking, Volume 17, Issue 1, pp 26-39, 2009.
[7]Yu Chen, Kai Hwang and Wei-Shinn Ku. "Collaborative Detection of DDoS Attacks over Multiple Network Domains" IEEE Transactions on Parallel and Distributed Systems, Volume 18, Issue 12, pp 1649-1662, 2007.
[8]Noureldien A. Noureldien , Izzeldin M. Osman, "A Method for Defeating DoS/DDoS TCP SYN flooding Attack", The SYNDEF College of Technological Sciences Sudan University of Science and Technology, Research gate.
[9]K. Park, and H. Lee, "On the effectiveness of router- based packet filtering for distributed DoS attack prevention in power-law Internets," Proceedings of the ACM SIGCOMM Conference, 2001, pp. 15-26, 2001.
[10]Jelena Mirkovic , Nikola Jevtic and Peter Reiher. "A Practical IP Spoofing Defense through Route based Filtering " .University of Delaware, CIS department, Technical Report, CIS-TR, 2006.
[11]Zhenhai Duan, Xin Yuan and Jaideep Chandrasekhar. "Controlling IP Spoofing through Inter domain Packet Filters" IEEE Transactions on Dependable and Secure Computing, Volume 5, Number 1 , 2008.
[12]Qiming Li, Ee-Chien Chang, Mun Choon Chan. "On the Effectiveness of DDOS Attacks on Statistical Filtering", proceedings of IEEE INFOCOM, pp 1373-1383, 2005.
[13]Haining Wang, Cheng Jin , and Kang G. Shin . " Defense against Spoofed IP Traffic Using Hop-Count Filtering", IEEE /ACM Transactions on Networking, Volume 15, Issue 1, pp 40-53, 2007.
[14]Fu-Yuan Lee and Shiuhpyng Shieh. "Defending against spoofed DDoS attacks with path fingerprint", International Journal on Computers and Security, Volume 24, Issue 7, pp 571- 586, 2005.
[15]Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioannidis Vern Paxson, and Scott Shenker. "Controlling High Bandwidth Aggregates in the Network" ACM SIGCOMM Computer Communication Review, Volume 12, Issue 3, pp 62-73, 2002.
[16]Stavrou, A., Keromytis, A.D., Nieh, J., Misra, V., Rubenstein, D.. "MOVE: An End-to-End Solution to Network Denial of Service", In Proceedings of the Network and Distributed System Security Symposium, 2005.
[17]Abraham Yaar Adrian Perrig and Dawn Song. "Pi: A Path Identification Mechanism to Defend against DDoS Attacks" Proceeding of Symposium on Security and Privacy, 2003.
[18]Vamsi Paruchuri, Arjan Durresi and Sriram Chellappan. "TTL based Packet Marking for IP Trace back" IEEE Conference on Global Telecommunications, 2008.
[19]Jelena Mirkovic and Peter Reiher. "D-WARD: A Source-End Defense against Flooding Denial-of-Service Attacks" IEEE Transactions on Dependable and Secure Computing, Volume 2, Issue 3, pp 216- 232, 2005.
[20]Anat Bremler-Barr Hanoch Levy. "Spoofing Prevention Method " 24th IEEE Proceedings of Annual Joint Conference of the Computer and Communications Societies, pp 536-547, 2005.
[21]G.Velmayil and Dr. S.Pannirselvam. " Detection and Removal of IP Spoofing Through Extended-Inter Domain Packet Filter Architecture." International Journal of Computer Applications, July 2012.
[22]P. Ferguson D.Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing" . January 1998.