Full Program »
RESECT: Self-Learning Traffic Filters for IP Spoofing Defense
IP spoofing has been a persistent Internet security threat for decades. While research solutions exist that can help an edge network detect spoofed and reflected traffic, sheer volume of such traffic requires handling further upstream.
We propose RESECT — a self-learning spoofed packet filter, which detects spoofed traffic upstream from the victim by combining information about the traffic’s expected route and about the sender’s response to a few packet drops. RESECT is unique in its ability to autonomously learn correct filtering rules when routes change, or when routing is asymmetric or multipath. Its operation has minimal effect on legitimate traffic, while it quickly detects and drops spoofed packets. In isolated deployment, RESECT greatly reduces spoofed traffic to the deploying network and its customers, to 8–26% of its intended rate. If deployed at 50 best-connected autonomous systems, RESECT protects the deploying networks and their customers from 99% of spoofed traffic, and filters 91% of spoofed traffic sent to any other destination. RESECT is thus both practical and highly effective solution for IP spoofing defense.