Abstract

We present the design and evaluation of the Clouseau system, which together with route-based filtering (RBF) acts as an effective and practical defense against IP spoofing. RBF’s performance critically depends on the completeness and the accuracy of the information used for spoofed packet detection. Clouseau autonomously harvests this information and updates it promptly upon a route change. RBF information is inferred by filters applying randomized drops to TCP data traffic, which arrives from suspicious or previously unknown sources, and observing subsequent retransmissions. No communication is required with packet sources or other RBF routers, which makes Clouseau (and RBF) suitable for partial deployment. We show through experiments with a Clouseau prototype that the operation cost is reasonable and the legitimate TCP connections do not experience large delays because of randomized drops. The inference process is resilient to subversion by an attacker who is familiar with Clouseau. We motivate our work by showing that RBF brings instant benefit to the deploying network, and that it can drastically reduce the amount of spoofed traffic in the Internet if deployed at as few as 50 chosen autonomous systems.

Date

January 1, 1970

Authors

Jelena Mirkovic, Nikola Jevtic, Peter Reiher

Journal

University of Delaware CIS Department Technical Report CIS-TR-2006-332