Spoofed IP traffic (traffic containing packets with incorrect source IP addresses) is often used by Internet-based attackers for anonymity, to reduce the risk of trace-back and to avoid attack detection by network-based sensors. Attackers often spoof or disguise the identity of machines that are used to carry out an attack by falsifying the source address of the network communication. This makes it more difficult to detect and identify the sources of attack traffic and sometimes shifts attention away from the attackers and toward innocent third parties.
It is common for a skillful attacker to use an incorrect source IP address in attack traffic emanating from most widely used operating systems. Since IP routing is destination-based, spoofed IP packets are delivered to the intended target in the same way as non-spoofed IP packets. Spoofed IP packets are particularly prevalent in DDoS (Distributed Denial of Service) attacks, wherein an attacker can compel multiple intermediate compromised hosts to inundate a target host or network with a cumulatively high-volume IP traffic stream. Detection of such DDoS attacks by network-based sensors is difficult since spoofing ensures that traffic volume from individual hosts appears to be low.
In addition to high-volume attacks such as DDoS, relatively stealthy attacks may also employ spoofed IP packets. A notable example is the Slammer worm which sends out a single source IP spoofed UDP (User Datagram Protocol) packet that compromises the destination node. Thus, Spoofed IP traffic detection is a generic means by which to detect several different types of network attacks without using specialized detectors for each attack.
Efforts have been made to solve the above problems.
One of the most common solutions to detect and contain spoofed IP traffic is egress filtering. This method uses filtering rules at outbound interfaces of network border routers. These filtering rules prevent traffic with source IP addresses other than those legally assigned to that network, from leaving the network. Thus, egress filtering attempts to address the detection and containment of spoofed traffic at its source. However, the disadvantage faced by egress filtering is a general unwillingness on the part of ISPs to implement it. The benefits of implementing egress filtering are not perceptible to the ISPs implementing the filtering. Thus, there is very little incentive for the ISPs to do so. Further, the maintenance of egress filters is a time-consuming process and out-of-date and/or incorrect egress filters can lead to legitimate traffic being blocked. Accordingly, even though the mechanisms to implement egress filtering are available on most routers in the Internet, a large number of ISPs currently do not implement it. As a consequence, spoofed traffic can be freely originated within hosts at these ISPs.
Another approach for detecting and containing spoofed IP traffic is Unicast Reverse Path Forwarding (URPF). A URPF enabled edge router drops an incoming IP packet at a given interface if the outbound path back to the packet's source IP address does not use that interface. In other words, URPF relies on symmetric routing between sources and destinations, and drops any packets that violate this symmetry. URPF assumes the existence of routing symmetry for paths between two end points in the Internet. However, due to the dynamic nature of Internet routing protocols and the fact that a router always chooses the best path to a destination based on these protocols, it is quite possible that the best network path from a source to a destination may be quite different from the best reverse path. As a consequence, there can be many cases where URPF based traffic filtering will drop traffic with valid source IP addresses. Thus, URPF only works in certain specific situations and is not a complete solution to the problem of detecting spoofed IP traffic.
A wide variety of detection methods are classified as (active or passive) host based methods and routing based methods. Host based methods require incorporation of additional functionality at the hosts that are the destinations of potentially spoofed traffic. The routing based detection methods focus on distinguishing between addresses that are external and internal to a network. However, the host based methods are not easy to implement simply because of the large number of end points at which those methods would need to be deployed. Thus, it is impractical to implement the host based methods on a large scale to solve the problem in its entirety. On the other hand, the routing based detection methods attempt to distinguish between addresses that are internal and external to the network and are limited in terms of the extent to which they can solve the spoofing detection problem. Detection of external source addresses on outbound packets is essentially the same as egress filtering (described above) and is thus faced with the same limitations. Detection of internal source addresses on incoming packets provides a limited solution to the problem since it cannot detect spoofing if the incoming packet bears an external source IP address.
Furthermore, another scheme to defend against DDoS attacks based on IP source address filtering near the attack target has also been discussed among network administrators and designers. According to this scheme, each edge router keeps a history of all the legitimate IP addresses, which have previously appeared in the network. When the edge router is overloaded, this history is used to decide whether to admit an incoming IP packet. However, this scheme only provides a limited solution to the problem, because it makes use of a history set of source IP addresses observed at only a single edge router. If a source IP address, on an incoming packet, is not in the edge router's history set but is still valid, it could incorrectly be dropped as being spoofed.
Yet another known scheme presents a predictive ingress filtering approach that makes use of the “InFilter” hypothesis to detect spoofed source IP addresses in traffic near its destination. The approach leverages historical source IP address information across multiple edge routers to infer spoofing activity in observed traffic. This scheme somewhat alleviates the problem faced, by using source IP address histories across multiple edge routers. If the source IP address, on an incoming packet, is not in the incoming edge router's history set but is in the history set of some other edge router, the packet will not be allowed to pass through, and instead will be disregarded as it arrived at the wrong edge. However, this method still suffers from a limitation when certain source IP addresses are not seen at any of the edge routers in the ISP's network during the period when historical information is gathered. If the IP addresses are observed at a later time, they would be dropped as being spoofed.
Therefore, there is a need for a reliable and effective method and apparatus to detect network traffic with spoofed source IP addresses.