It is well known that in data communications networks, such as the Internet, security vulnerabilities are routinely exploited by hackers and other malicious users. Examples include denial of service attacks, worms and virus attacks, all of which exploit weaknesses in the Internet infrastructure. Typically the attacker desires to hide his or her identity, which can be determined from the source address field of the data packet. In order to accomplish this the attacker may use as the attacker's source address the Internet Protocol (IP) address of another node or host. This other host may be an existing (valid) host or a non-existing (or non-active or currently invalid) host. This common type of deception is typically referred to as “IP Spoofing”. When a victim host receives such a request it has no knowledge of the legitimacy of the request, and it may react to the packet from the attacker and, in some cases, may respond to the packet. The IP Spoofing attack is a common problem, and attacks such as the Distributed Denial of Service (DDoS) are typically based on IP Spoofing.
There are several forms of defense to attacks that use a spoofed IP address. One basic mechanism involves filtering the packet before forwarding the packet towards its destination. This approach requires the configuration and management of data packet filters. How and when to filter an IP packet presents, however, a complex management task for a large Internet Service Provider (ISP) that typically receives millions of packets during short intervals of time. Many smaller ISPs may use some form static filters to protect their network resources from intrusion attacks. These ISPs may also prevent the attacker from learning the network topology by providing private addresses. In general, most such intrusive attacks occur at access networks and at network nodes where the packet traffic originates or terminates.
A network router forwards a received packet based on the destination address contained within the packet header. However, during the forwarding process the source address, also contained within the packet header, is normally not verified. An attacker may thus cleverly craft an IP packet with a source address that is an unused IP address, or with a valid IP address of another host (which can be located near to or far from the attacker or malicious host). The typical router does not have the intelligence to check the validity of the source address, as the router's primary purpose is to simply execute a packet forwarding function based on the packet destination address.
Tracking down the source of a packet (providing a trace ability) is a significant problem in the Internet. There are techniques such as those known as iTrace and as PathTrace that in general attempt to analyze the packet when the router or the network detects some abnormal behavior. Currently, however, it is difficult to detect and distinguish normal from abnormal behavior, a problem that is compounded by the fact that traffic patterns on the Internet are typically bursty. When a host is under attack the victim host and the network quickly become flooded with packets, at which time it is typically too late to react to the attack.
Ingress filtering is a mechanism whereby the network rejects a packet with an invalid (or spoofed) source address. This requires some explicit filtering scheme, typically near a gateway (a connection point to another network or to the Internet backbone) of the network, and requires some mechanism to configure and maintain the required ingress filter tables. However, the typical ISP does not desire to perform ingress filtering unless the ISP becomes the victim network, as it increases cost due to the required management and maintenance of the ingress filter(s). Furthermore, the majority of attacks occur near the access network where it is relatively easy for the attacker to flood the victim network with a packet storm. Thus, unless all ISPs incorporate an ingress filtering mechanism the forgery of an IP address at some unprotected ISP cannot be prevented.
It is believed that at present some ISPs perform a manual configuration and management of ingress filtering. However, this requires additional knowledge in order to constantly modify the ingress filter tables according to changes in the network topology.
As was noted above, routing is the activity of forwarding an IP packet towards the destination of the IP packet, as determined from the IP packet destination address field. The Routing Information Protocol (RIP), the Intermediate System to Intermediate System protocol (IS—IS) and Open Shortest Path First (OSPF) are examples of interior routing protocols used mainly within one administrative domain or Autonomous System (AS). Interior routing protocols such as OSPF perform routing based on link state, where network routers construct the routing topology (in the router database). The ensuing discussion will focus, for convenience, on the OSPF protocol. Those skilled in the art should realize, however, that other types of routing protocols could be similarly discussed.
Referring to FIG. 1, consider a router 10 with two external interfaces, A and B, and assume that the routing software is a monolithic unit embodied in a route processor 12. Assume also that router line cards 14, connected to hosts 16, are not provided with local intelligence. In this most basic case the route processor 12 stores and maintains a routing table (RT) 12A, and the lookup of destination addresses is performed using the routing table 12A. All incoming IP packets are simply forwarded from the line cards 14 to the route processor 12.
Due to the increase in high speed interconnect hardware, the concept of routing has now become distributed within a single enclosure or unit. Referring to FIG. 2, each line card 14 is provided with intelligence to forward incoming packets based on information in a local forwarding table (FT) 14A. This approach improves performance and also decouples the computation logic executed by the route processor 12 from the forwarding path. The line cards 14 participate in the routing protocol and learn the network prefixes, that is the network addresses (e.g., IP addresses) of the connected hosts 16. The line cards 14 do not process incoming IP control packets, such as Routing Protocol Update packets, but instead forward any incoming IP control packets to the route processor 12 (which may be embodied as a router control card). The route processor 12 is responsible for collecting all of the routing information gathered by each line card 14. The route processor 12 then constructs the routing table 12A and also a global forwarding table 12B. The global forwarding table 12B is basically a subset of the routing table 12A, and is provided from the route processor 12 to each line card 14 where it becomes the local forwarding table 14A. A given line card 14 uses the forwarding table 14A to perform the packet forwarding function. As can be appreciated, in this approach all of the entries of the forwarding table 14A in each line card 14 are the same, irrespective of the line card 14 location and the network topology knowledge that may be acquired by the line card 14 through its interface to the connected hosts 16.
An advantage of this type of approach is that it is straightforward for the route processor 12 to construct the single global forwarding table 12B. Furthermore, it may happen that packets can come through any arbitrary interface of the router 12 (based on changes in topology and possibly load balancing schemes) and, therefore, each line card 14 is able to forward any arriving packet, as all of the line cards 14 have an identical forwarding table 14A. This provides an external appearance that the set of distributed forwarding line cards 14 provide a single-hop type of forwarding.
A problem that arises in this type of system is that a host can send a packet with a spoofed source address through a given one of the line cards 14, which has not previously seen the spoofed network prefix. It thus becomes difficult to detect the forgery of the source address.
Referring to FIG. 3, in an attempt to avoid this type of spoofing an ISP may configure a filter 18A either at a gateway router 18, or at some intermediate aggregation point, before forwarding packets to an upstream service provider 19. The filter 18A must, however, be kept current to reflect the actual network topology so as to detect a fraudulent source address generated by one of the hosts 16. This requires a constant monitoring and updating of the filter 18A that, unless an attack actually occurs, results in added cost and complexity for the ISP.
As should be appreciated, a need exists to provide an improved technique for detecting spoofed IP source addresses.