Abstract

IP spoofing exacerbates many security threats, and reducing it would greatly enhance Internet security. Seven defenses that filter spoofed traffic have been proposed to date; three are designed for end-network deployment, while four assume some collaboration with core routers for packet marking or filtering. Because each defense has been evaluated in a unique setting, the following important questions remain unanswered: 1) Can end networks effectively protect themselves or is core support necessary? 2) Which defense performs best assuming sparse deployment? 3) How to select core participants to achieve best protection with fewest deployment points? This paper answers the above questions by: 1) formalizing the problem of spoofed traffic filtering and defining novel effectiveness measures, 2) observing each defense as selfish (it helps its participants) or altruistic (it helps everyone) and differentiating their …

Date

December 1, 2009

Authors

Jelena Mirkovic, Ezra Kissel

Journal

IEEE Transactions on Dependable and Secure Computing

Volume

8

Issue

2

Pages

218-232

Publisher

IEEE