Filtering Spoofed Traffic

Members and Collaborators


IP spoofing has been a persistent Internet security threat for decades. While research solutions exist that can help an edge network detect spoofed and reflected traffic, the sheer volume of such traffic requires handling further upstream. Our work has focused on developing ways to detect and filter spoofed traffic at an ISP level.


RAD is a novel defense against reflector attacks. It has two variants – locally-deployed (L-RAD) and core-deployed (CRAD). Local RAD uses message authentication codes (MACs) to mark outgoing requests at their source, so the target of a reflector attack can differentiate between replies to legitimate and spoofed requests. MACs can be validated either at the target machine or on a gateway router at the target’s network. Core RAD, which is deployed at the AS level, handles larger attacks that overwhelm L-RAD. The source AS marks each packet it sends with a hash message authentication code (HMAC) and core ASes filter packets that carry incorrect HMACs. C-RAD prevents reflector attacks by filtering spoofed requests, rather than filtering reflected replies. We tested both variants using the DETER testbed by replaying backbone traces from the MAWI project archive in a congestionresponsive manner. Our tests show that Local RAD is better than the no-defense case, but gets overwhelmed when the attack exceeds the target’s network capacity. Core-deployed RAD successfully handles attacks of all rates


RESECT is a self-learning spoofed packet filter that detects spoofed traffic upstream from the victim by combining information about the traffic’s expected route and about the sender’s response to a few packet drops. RESECT is unique in its ability to autonomously learn correct filtering rules when routes change, or when routing is asymmetric or multipath. Its operation has a minimal effect on legitimate traffic, while it quickly detects and drops spoofed packets. In isolated deployment, RESECT greatly reduces spoofed traffic to the deploying network and its customers, to 8–26% of its intended rate. If deployed at 50 best-connected autonomous systems, RESECT protects the deploying networks and their customers from 99% of spoofed traffic, and filters 91% of spoofed traffic sent to any other destination. RESECT is thus both a practical and highly effective solution for IP spoofing defense.

Software and Datasets


This material is based upon work supported by the National Science Foundation under Grant No. 0716452. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.