CONTROLLING IP SPOOFING THROUGH INTER DOMAIN PACKET FILTERS

IP Spoofing is a serious threat to the legitimate use of the Internet. By employing IP spoofing, attackers can overload the destination network thus preventing it from providing service to legitimate user. In this paper, we propose an inter domain packet filter (IDPF) architecture that can minimize the level of IP spoofing on the Internet. A key feature of our scheme is that it does not require global routing information.  IDPFs are constructed from the information implicit in Border Gateway Protocol (BGP) route updates and are deployed in network border routers.  We establish the conditions under which the IDPF framework correctly works in that it does not discard packets with valid source addresses. We show that, even with partial deployment on the Internet, IDPFs can proactively limit the spoofing capability of attackers. In addition, they can help localize the origin of an attack packet to a small number of candidate networks.