The present invention relates generally to computer software, and more particularly, to a system and method for filtering Internet protocol (IP) address spoofed packets in a private network.
Generally, networks can be described as either public or private. A common example of a public network is the Internet. A common example of a private network is a corporate network. Many corporate networks may actually include one or more inter-connected networks which may be geographically dispersed but managed by a single authority (e.g., the corporation). Often, a private network utilizes a part of a public network. For example, a virtual private network (VPN) may use facilities that are owned by a public entity. Also, some corporate networks may actually be connected over the Internet through VPN.
Computer networks have become more and more sophisticated and complex in their management of data communication traffic. At the same time, concerns for the security of the computer networks, especially those of private networks, have escalated. One major concern is called “spoofing.” Spoofing is an unauthorized act by a host generating and sending an IP packet containing a source IP address belonging to some other computer and thereby impersonating the other computer. Since there is often no source IP address authentication in a computer network's protocol specification and implementation, source IP address spoofing by various hosts is possible.
As it is well known in the industry, spoofing has been used to launch a variety of attacks on networks. Two specific types of attacks that have caused a great deal of concern for network administrators are Denial of Service (DOS) and Distributed Denial of Service (DDOS). In these attacks, the intent of the attacker is not to harm the victim by stealing, destroying, or manipulating confidential data on victim's computer. Instead, the attacker's intention is to illegitimately consume the victim's finite resources so that the victim is unable to service the legitimate service requests, which it could otherwise do or the victim is unable to access services provided by others. The resources targeted by the attacker include network bandwidth and system resources such as memory. Some well known attacks, often referred to as SYN, Smurf, and Land, use source IP address spoofing to form illegitimate request packets. These requests can be simultaneously sent by many intermediary systems, which are already compromised by the attacker in a DDOS attack. A further concern is that the attacker may use these intermediary systems as a launching pad for attacks to harm the victims.
If a network can stop these packets bearing a spoofed source IP address from leaving the network, then such a network cannot be used as a launching pad for DOS/DDOS attacks against a victim computer. Therefore, it is important that a private network protect itself from being used as a launching pad for these attacks either intentionally or unintentionally.
An earlier proposed method for preventing spoofing in a private network uses “Ingress Filtering” on IP packets. See Fergus, P and Sen, D., Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing, http://www.ietf.org/rfc/rfc2827.txt?number=2827. An ingress filter discards those IP packets whose source IP address do not reside in a predefined network IP address space. This filtering can be performed by internal routers as well as border routers connecting to the network environment external to the private network.
However, this ingress filtering method has certain disadvantages. For example, the ingress filter needs to be manually configured on appropriate interfaces of routers as well as the border routers in a private network because the routers cannot automatically decide the filtering details for their interfaces. Moreover, the ingress filter on a router interface needs an IP network prefix that covers all subnets behind the interface—such a prefix may not exist for most internal routers. If the prefix does not exist, it is not possible to configure the ingress filter for these internal routers, making it impossible to prevent IP spoofing from happening “deep” in the network.
Another problem is that “holes” (unassigned IP addresses) exist because all the available addresses in the subnet address space may not be fully used. Consequently, a packet containing a spoofed source IP address associated with a hole may not be detected by the ingress filter.
In addition, the ingress filter at the border router is not able to detect and prevent spoofing within a network because a host may generate source IP address spoofed packets with the IP address of another host in the same or different subnet, which also belongs to the same private network.
What is needed is an improved method for dealing with source IP address spoofing.
Furthermore, some applications in the private network computing environment, such as a distributed file service based on remote procedure call (RPC) service in an enterprise, rely on source IP addresses for host authentication for the purpose of resource access control. Although an IP address is uniquely associated with a host, it is not a reliable basis for authenticating that host because another host can impersonate the former by using its address for spoofing. Various applications and services that use IP address for authentication are therefore vulnerable to impersonation attacks.
Therefore, an improved method to deal with the problem of impersonation in applications in a private network that employs source IP address for authentication is also needed.